A

BY MASTERS,INFORMATICS CZU,SUCHDOL,PRAHA

APRIL 2012

1. 2. 3. 4.

5.

PREAMBLE CLOUD SECURITY THREATS AND RISKS OTHER SECURITY THREATS AND RISKS CONCLUDING REMARKS REFERENCES

Comes from the early days of the Internet where we drew the network as a cloud we didnt care where the messages went the cloud hid it from us Kevin Marks, Google Every great leap in technological development is usually accompanied by a host of mild to possibly severe security threats and risks Cloud computing is certainly no exception; it carries with it a few security concerns that are being dealt with even as youre listening However, once people catch on to this new technology and begin Implementing it into their daily lives the security threats cum risks could potentially run rampant

What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. US NIST definition of Cloud Computing

SERVICE MODELS: 1. Software as a Service SaaS: Use providers applications over a network 2. Platform as a Service (PaaS): Deploy customer-created applications to a cloud 3. Infrastructure as a Service (IaaS): Rent processing, storage, network capacity, and other DEPLOYMENT MODELS:

1. Private cloud: enterprise owned or leased

2. Community cloud: shared infrastructure for specific community 3. Public cloud: Sold to the public, mega-scale infrastructure 4. Hybrid cloud: composition of two or more clouds

A hypervisor, also called a virtual machine manager, is a program or firmware It allows multiple operating systems to share a single hardware host whereby each operating system appears to have the host's processor, memory, and other resources all to itself However, the hypervisor is actually controlling the host processor and resources, allocating what is needed to each operating system in turn and making sure that the guest operating systems (called virtual machines) cannot disrupt each other.

Using a VM for each application provides isolation

More than running 2 apps on same server.

FIG

CLOUD COMPUTING QUESTIONS Your data is where? Which country? Who has access? Have staff been vetted? How well is it segregated from other users? Is it encrypted? Who holds the keys? How is it backed up (encrypted? where is it?) How is it transmitted (encrypted? authenticated?) Have the providers been tested by a reputable third party?

Abuse and Nefarious Use of Cloud: . Cloud Computing providers are actively being targeted,partly due to their less stringent registration systems which allows anonymity and with limited providers fraud detection capabilities. The major security concerns include password and key cracking, DDOS, launching dynamic attack points and hosting malicious data, etc Malicious Insiders: As organizations deploy cloud services, the human factor takes on an even more prominent role. This kind of situation clearly creates an attractive opportunity for an adversaryranging from the hobbyist hacker, to organized crime, to corporate espionage,or even nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection Shared Technology Issues: Hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform. The major objective behind virtualization is multinenancy but how about when there is a breach thus allowing customers to have unauthorised access to other tenants actual or residual data,network traffic,applications,etc Data Loss or Leakage: The threat of data compromise increases in the cloud, due to the the architectural or operational characteristics of the cloud environment.There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Examples include insufficient authentication, authorization, and audit (AAA) controls; inconsistent use of encryption and software keys; operational failures,jurisdiction and political issues; data center reliability, and disaster recovery. Account or Service Hijacking: If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Account and service hijacking,usually with stolen credentials,remains a primary threat. With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity and availability of those services

Accountability No Security Perimeter Larger Attack Surface New Side Channels Lack of Auditability Regulatory Compliance Continuity and Incident Management Identity and Access Management

The economics of cloud computing appear to be sound and compelling, and many of the technologies underpinning the cloud are maturing and proliferating at a fast pace. Cloud computing is an industry trend that is here to stay. That said, there are obviously a handful of security threats and risks in transitioning to the cloud. Hence, strong IT governance and control measures are an essential part of any decision to transition to the virtual cloud domain. It would be good to state here that none of these security threats and risks is strictly unique to cloud services. However, the fact that cloud models combine so many elements and add a layer of complexity means that they are considered to be more problematic.

1.

ISACA Journal, Voulmes 5 and 6, 2011 2. http://nylawblog.typepad.com/suigeneris/2009/11/does-cloudcomputingcompromise- clients.html 3. http://www.infoworld.com/d/cloud-computing/hackers-findhome- inamazons-ec2-cloud-742 4. http://www.uoregon.edu/~joe/cloud-computing-security/ 5. http://www.cloudsecurityalliance.org 6. http://www.csrc.nist.gov/groups/SNS/cloud-computing/cloud-computingv26.ppt 7. http://technicalinfodotnet.blogspot.com/2010/01/tetheredespionage.html

THANK YOU FOR THE RAPT ATTENTION Dkuji vm za pozornost