Lecture 7 Security in Cloud Computing - PowerPoint PPT Presentation

1 / 50
About This Presentation
Title:

Lecture 7 Security in Cloud Computing

Description:

Lecture 7 Security in Cloud Computing Asst.Prof. Supakorn Kungpisdan, Ph.D. supakorn_at_mut.ac.th Authentication and Authorization With SaaS, the software is hosted ... – PowerPoint PPT presentation

Number of Views:1338
Avg rating:3.0/5.0
Slides: 51
Provided by: CourseTe
Category:

less

Transcript and Presenter's Notes

Title: Lecture 7 Security in Cloud Computing


1
Lecture 7Security in Cloud Computing
  • Asst.Prof. Supakorn Kungpisdan, Ph.D.
  • supakorn_at_mut.ac.th

2
Subwaves within the information age
3
Evolution of Cloud Computing
4
Why Cloud?
  • Cloud computing is a low-cost solution.
  • Cloud computing offers responsiveness and
    flexibility.
  • The IT expense matches the transaction volumes.
  • Business users are in direct control of
    technology decisions.
  • The line between home computing applications and
    enterprise applications will blur.

5
Sources of incremental IT spending growth
6
Worldwide IT cloud services spending
7
Evolution of Cloud Computing (cont.)
  • ISP 1.0
  • ISPs quickly proliferated to provide access to
    the Internet for organizations and individuals.
  • These early ISPs merely provided Internet
    connectivity for users and small businesses,
    often over dial-up telephone service.
  • ISP2.0
  • As access to the Internet became a commodity,
    ISPs consolidated and searched for other
    value-added services, such as providing access to
    email and to servers at their facilities.

8
Evolution of Cloud Computing (cont.)
  • ISP3.0
  • Colocation facilities specialized facilities for
    hosting organizations (customers) servers,
    along with the infrastructure to support them and
    the applications running on them.
  • Those facilities are a type of data center where
    multiple customers locate network, server, and
    storage gear and interconnect to a variety of
    telecommunications and other network service
    provider(s) with a minimum of cost and
    complexity.

9
Evolution of Cloud Computing (cont.)
  • ISP4.0
  • As collocation facilities proliferated and became
    commoditized, the next step in the evolution was
    the formation of application service providers
    (ASPs), which focused on a higher value-added
    service of providing specialized applications for
    organizations, and not just the computing
    infrastructure.
  • ASPs typically owned and operated the software
    application(s) they provided, as well as the
    necessary infrastructure.

10
Cloud Computing (ISP5.0)
  • Although ASPs might appear similar to a service
    delivery model of cloud computing that is
    referred to as software-as-a-service (SaaS),
    there is an important difference in how these
    services are provided, and in the business model.
  • Although ASPs usually provided services to
    multiple customers (just as SaaS providers do
    today), they did so through dedicated
    infrastructures.
  • That is, each customer had its own dedicated
    instance of an application, and that instance
    usually ran on a dedicated host or server.
  • The important difference between SaaS providers
    and ASPs is that SaaS providers offer access to
    applications on a shared, not dedicated,
    infrastructure.

11
Cloud Computing Defined
Properties Descriptions
Multi-tenancy (shared resources) cloud computing is based on a business model in which resources are shared (i.e., multiple users use the same resource) at the network level, host level, and application level.
Massive scalability cloud computing provides the ability to scale to tens of thousands of systems, as well as the ability to massively scale bandwidth and storage space
Elasticity Users can rapidly increase and decrease their computing resources as needed, as well as release resources for other uses when they are no longer required.
Pay as you go Users pay for only the resources they actually use and for only the time they require them.
Self-provisioning of resources Users self-provision resources, such as additional systems (processing capability, software, storage) and network resources
12
Attributes of Elasticity
13
Notable Cloud Launches
14
SPI Service Model
15
Architecture for Relevant Technologies
16
Cloud Services Delivery Model
17
Cloud Deployment Model
  • Private Clouds
  • Public Clouds
  • Hybrid Clouds

18
Cloud Service Deployment Model
19
Public Clouds
20
Hybrid Clouds
21
Key Drivers to Adopting Clouds
  • Small Initial Investment and Low Ongoing Costs
  • Economies of Scale
  • Open Standards
  • Sustainability

22
Governance in the Cloud
23
Barriers to Cloud Computing Adoption in the
Enterprise
  • Security
  • Privacy
  • Connectivity and Open Access
  • Reliability
  • Interoperability
  • Independence from CSPs
  • Economic Value
  • Changes in the IT Organization
  • IT Governance
  • Political Issues Due to Global Boundaries

24
Complexity of security in cloud environment
25
Security Issues in Service Models
  • Security in SaaS
  • Most enterprises are still uncomfortable with the
    SaaS model due to lack of visibility about the
    way their data is stored and secured.
  • Security in IaaS
  • IaaS only provides basic security (perimeter
    firewall, load balancing, etc.) and applications
    moving into the cloud will need higher levels of
    security provided at the host.
  • Security in PaaS
  • PaaS offers an integrated set of developer
    environment that a developer can tap to build
    their applications without having any clue about
    what is going on underneath the service.
  • This can be helpful for a hacker to leverage the
    PaaS cloud infrastructure for malware command and
    control and go behind IaaS applications.

26
Security for the SaaS Stack
27
Security for the SaaS StackData Security
  • In a traditional on-premise application
    deployment model, sensitive data of each
    enterprise continues to reside within the
    enterprise boundary and is subject to its
    physical, logical and personnel security and
    access control policies.
  • In SaaS model, the enterprise data is stored
    outside the enterprise boundary, at the SaaS
    vendor end.
  • EC2 Administrators with a business need are
    required to use their individual cryptographi-
    cally strong Secure Shell (SSH) keys to gain
    access to a host. All such accesses are logged
    and routinely audited.
  • Data at rest in Simple Storage Service (S3) is
    not encrypted by default, users can encrypt their
    data before it is uploaded to Amazon S3, so that
    it is not accessed or tampered with by any
    unauthorized party.

28
Possible Vulnerabilities in SaaS
  • Cross-site scripting XSS
  • Access control weaknesses
  • OS and SQL injection flaws
  • Cross-site request forgery CSRF
  • Cookie manipulation
  • Hidden field manipulation
  • Insecure storage
  • Insecure configuration

29
Security for the SaaS StackNetwork Security
  • Sensitive data is obtained from the enterprises,
    processed by the SaaS application and stored at
    the SaaS vendor end.
  • All data flow over the network needs to be
    secured in order to prevent leakage of sensitive
    information.
  • This involves the use of strong network traffic
    encryption techniques such as Secure Socket Layer
    (SSL) and the Transport Layer Security (TLS) for
    security.

30
Data Locality
  • Customer does not know where the data is getting
    stored.
  • Due to compliance and data privacy laws in
    various countries, locality of data is of utmost
    importance in many enterprise architecture.
  • In many EU and South America countries, certain
    types of data cannot leave the country because of
    potentially sensitive information.
  • A secure SaaS model must be capable of providing
    reliability to the customer on the location of
    the data of the consumer.

31
Data Integrity
  • Each SaaS application may have different levels
    of availability and SLA (service-level
    agreement), which further complicates management
    of transactions and data integrity across
    multiple SaaS applications.
  • The lack of integrity controls at the data level
    (or, in the case of existing integrity controls,
    bypassing the application logic to access the
    database directly) could result in problems.

32
Data Segregation
  • data of various users will reside at the same
    location. Intrusion of data of one user by
    another becomes possible in this environment.
  • A SaaS model should therefore ensure a clear
    boundary for each users data.
  • The boundary must be ensured not only at the
    physical level but also at the application level.
  • Possible Attacks include SQL injection flaws,
    Data validation, and Insecure storage.

33
Data Access
  • The SaaS model must be flexible enough to
    incorporate the specific policies put forward by
    the organization.
  • The model must also be able to provide
    organizational boundary within the cloud because
    multiple organization will be deploying their
    business processes within a single cloud
    environment.

34
Authentication and Authorization
  • With SaaS, the software is hosted outside of the
    corporate firewall.
  • Many a times user credentials are stored in the
    SaaS providers databases and not as part of the
    corporate IT infrastructure.
  • This means SaaS customers must remember to
    remove/disable accounts as employees leave the
    company and create/enable accounts as come
    onboard.

35
Vulnerabilities in Virtualization
  • Some vulnerability has been found in all
    virtualization software which can be exploited by
    malicious, local users to bypass certain security
    restrictions or gain privileges.
  • For example, the vulnerability of Microsoft
    Virtual PC and Microsoft Virtual Server could
    allow a guest operating system user to run code
    on the host or another guest operating system.
  • Vulnerability in Virtual PC and Virtual Server
    could allow elevation of privilege.

36
Availability
  • A multi-tier architecture needs to be adopted,
    supported by a load-balanced farm of application
    instances, running on a variable number of
    servers.
  • Resiliency to hardware/software failures, as well
    as to denial of service attacks, needs to be
    built from the ground up within the application.

37
Backups
  • The SaaS vendor needs to ensure that all
    sensitive enterprise data is regularly backed up
    to facilitate quick recovery in case of
    disasters.
  • The use of strong encryption schemes to protect
    the backup data is recommended
  • In the case of cloud vendors such as Amazon, the
    data at rest in S3 is not encrypted by default.
    The users need to separately encrypt their data
    and backups so that it cannot be accessed or
    tampered with by unauthorized parties.

38
Identity Management
39
Security in PaaS
  • Provider might give some control to the people to
    build applications on top of the platform.
  • But any security below the application level such
    as host and network intrusion prevention will
    still be in the scope of the provider and the
    provider has to offer strong assurances that the
    data remains inaccessible between applications.
  • PaaS is intended to enable developers to build
    their own applications on top of the platform.

40
Security in PaaS (cont.)
  • Hackers are likely to attack visible code,
    including but not limited to code running in user
    context.
  • They are likely to attack the infrastructure and
    perform extensive black box testing.
  • The vulnerabilities of cloud are not only
    associated with the web applications but also
    vulnerabilities associated with the
    machine-to-machine Service-Oriented Architecture
    (SOA) applications, which are increasingly being
    deployed in the cloud.

41
Security Issues in IaaS
  • With IaaS the developer has better control over
    the security as long as there is no security hole
    in the virtualization manager.
  • The security responsibilities of both the
    provider and the consumer greatly differ between
    cloud service models.
  • Amazons EC2 infrastructure as a service offering
    includes vendor responsibility for security up to
    the hypervisor, meaning they can only address
    security controls such as physical security,
    environmental security, and virtualization
    security.
  • The consumer, in turn, is responsible for the
    security controls that relate to the IT system
    including the OS, applications and data

42
Security Management and Monitoring Scope
43
ITIL Life Cycle in Enterprise
44
Security Management in Clouds
  • Availability management (ITIL)
  • Access control (ISO/IEC 27002, ITIL)
  • Vulnerability management (ISO/IEC 27002)
  • Patch management (ITIL)
  • Configuration management (ITIL)
  • Incident response (ISO/IEC 27002)
  • System use and access monitoring (ISO/IEC 27002)

45
Security-as-a-Service
  • Email filtering (including backup, archival, and
    e-discovery)
  • Web content filtering vulnerability management
  • Identity-as-a-service (spelled as IDaaS).

46
Email Filtering
  • SaaS for email primarily involves cleansing spam,
    phishing emails, and malware included in email
    from an organizations incoming email stream, and
    then delivering that clean email securely to the
    organization so that it is effectively not
    repolluted.
  • Not only more comprehensive security for clients
    due to the use of multiple engines, but also
    better performance of those client devices
    (because the anti-malware runs in the cloud and
    not on the endpoint directly), as well as far
    better anti-malware management.
  • Provide email encryption, SSL tunnel between
    email servers, backups and recovery

47
Web Content Filtering
48
Vulnerability Management
  • Discover, prioritize, and assess systems for
    vulnerabilities, and then report and remediate
    those vulnerabilities and verify the systems
    secure operation.
  • Monitor for and report on compliance with some
    regulatory requirements (e.g., the Payment Card
    Industrys Data Security Standard).

49
Identity Management-As-a-Service
50
Questions?
Write a Comment
User Comments (0)
About PowerShow.com