SlideShare ist ein Scribd-Unternehmen logo

Unit 5

Als PPT, PDF herunterladen
D
DhanalakshmiVelusamy1

Grid and Cloud Computing Security

Ingenieurwesen
1 von 30
UNIT – V UNIT V SECURITY Trust models for Grid security environment –Authentication and Authorization methods – Grid security infrastructure – Cloud Infrastructure security: network, host and application level – aspects of data security, provider data and its security, Identity and access management architecture, IAM practices in the cloud, SaaS, PaaS, IaaS availability in the cloud, Key privacy issues in the cloud.
INTRODUCTION • The security is an important factor in planning and maintaining a grid as well as cloud environment. • Secure operations in both the environments requires applications and services to be capable of supporting variety of security functions such as authentication, authorization, credential conversion, auditing and delegation. • Trust – belief in the competence of an entity • 1 – trustworthy • 0 - untrustworthy
Trust Models for Grid Security Environment • Security is the important factor which has to be handled carefully. • The lack of security may generate various issues like • Denial of access • Faulty and malicious operations • Network sniffing • Attack provenance • System level vulnerabilities • The domain of grid is very large which span across multiple locations. Therefore trusted and secure end-to-end delivery of grid services is required.
• Two parameter used in security assurance condition : TI ≥ SD • A user job demands the resource site to provide security assurance by issuing a security demand (SD). • The site needs to reveal its trustworthiness, called its trust index (TI). • These attributes and their values are dynamically changing and depend heavily on • the trust model, • security policy, • accumulated reputation, • self-defense capability, • attack history and site vulnerability.
• Three challenges: • How to integrate new security infrastructure for existing system. • Interoperability between different hosting environment. • Maintaining trust relationship between different hosting sites. • Different trust models: • Conventional trust model • Reputation based trust model • Fuzzy based trust model
Conventional trust model Grid resource request Security controller Trustworthiness Interfernce mechanism with aggregation Reputation factors Recommended trust safeguards Response and TAT firewall Utilization rate IDS Success rate IPS Avg slowdown ratio Antivirus
Reputation based trust model • In reputation based model, the user sent job to resource site for computation but it will be delivered only if site is trustworthy to fulfill user demand. • assessed according to such factors as intrusion detection, firewall, response capabilities, anti-virus capacity, and so on. • The safeguards are used to protect site itself from various attacks using IDS, IPS, firewalls or antivirus. • A positive experience associated with a site will improve its reputation. • On the contrary, a negative experience with a site will decrease its reputation
Fuzzy based trust model • The fuzzy based model is based on Security Demand(SD) and Trust Index(TI) of a site. • two-level fuzzy logic to estimate the aggregation of numerous • trust parameters and security attributes into scalar quantities that are easy to use in the job scheduling and resource mapping process. • TI – 1- high risk 0 – risk free • The fuzzy inference is accomplished through four steps: fuzzification,inference, aggregation, and defuzzification. • SD > TI , the trust model could deduce detailed security features to guide the site security upgrade as a result of tuning the fuzzy system.
Authentication and Authorization Methods • Authentication and Authorization methods are the security mechanisms work together to prevent security attacks in grid environment.
Authentication Methods • The authentication is a process of checking authenticity of entities using different authentication methods like • Password(User name, Password) • Public key Infrastructure(PKI)(CA) • Kerberos(Session Key)
Authorization Methods • The authorization is a process of determining who is allowed to access which shared resources under what condition. • Three types of authorities namely • Attribute Authorities – issue attribute assertions • Policy Authorities – issues authorization policies wrt resources • Identity Authorities – issues certificates using Public key infrastructure (PKI) • Three basic entities • Subject – defines a set of policies determines how its authorization used • Resource – component of the system • Authority – capable of issuing validating and revoking the proofs of subjects of rights
Authentication Models 2 1 4 3 Authorization authority Subject Resource 1. Subject push authorization model The user conducts handshake with the authority first and then with the resource site in a sequence.
2. Resource pull authorization model 3 2 • puts the resource in the middle. • The user checks the resource first. Then the resource 1 4 • contacts its authority to verify the request, and the Authority authorizes at step 3. • Finally the resource accepts or rejects the request from the subject at step 4 Authorization authority Resource Subject
3. The agent based authorization model • puts the resource in the middle. • The user checks the resource first. Then the resource • contacts its authority to verify the request, and the authority • authorizes at step 3. Finally the resource accepts or rejects the request from the subject at step 4 1 4 3 2 Subject Resource Authorization authority Authorization agent
Grid Security Infrastructure • Grid environment seeks a security infrastructure that meets the following basic requirements. • Easy to use • Meets the VO’s security when working with site policies • An appropriate authentication and encryption for all interactions • GSI also part of globus toolkit and provides basic security services • Message protection • Authentication and delegation • Authorization
GSI • Functional Layers of GSI • Transport Level Security of GSI • Message Level Security of GSI • Authentication and Delegation of GSI • Trust Delegation of GSI
Functional Layers of GSI • GT4 offers various WS and pre-WS authentication and authorization capabilities. • Four functions are • Message protection • Authentication • Delegation • Authorization
Transport Level Security of GSI • TLS is based on SOAP(Simple Object Access Protocol) message passed over a network connection protected by TLS. • TLS is responsible for providing • Integrity protection • Privacy • TLS performs the authentication via •Username •Password
Message Level Security of GSI • GSI offers message level security for SOAP messages by implementing the WS – security standard and using the WS – secure conversation specification. • WS – secure conversation specification is a standard proposed from IBM and Microsoft which allows exchange of messages. • Three more protection mechanisms • Integrity protection • Encryption • Replay prevention
Authentication and Delegation of GSI • GSI offers both authentication and delegation by using CA and public key. • It also provides through username and password . • GSI certificate contains the following components. • Name of the subject • Public key of the subject • Identify the signature • Digital signature that belongs to the CA
Trust Delegation of GSI • GSI offers delegation capability and services through an interface. • This interface allows client to delegate certificate to a service. • The interface is based on WS – Trust specification.
Cloud Security infrastructure Network Level • When looking at the network level of infrastructure security • It is important to distinguish between public clouds and private clouds • Four significant risk factors in this use case: • Ensuring the confidentiality and integrity of your organization’s data-in- transit to and from your public cloud provider • Ensuring proper access control (authentication, authorization, and auditing) to whatever resources you are using at your public cloud provider • Ensuring the availability of the Internet-facing resources in a public cloud • that are being used by your organization, or have been assigned to your organization by your public cloud providers • Replacing the established model of network zones and tiers with domains
• Host Level • When reviewing host security and assessing risks, • Consider the context of • Cloud services delivery models (SaaS, PaaS, and IaaS) and • Deployment models (public, private, and hybrid). • There are no known new threats to hosts that are specific to cloud computing, virtualization security threats — such as • VM escape, • System configuration drift, and • Insider threats by way of weak access control to the hypervisor • Understand the trust boundary and the responsibilities that fall on you to secure the host infrastructure that you manage. • There are also some providers’ responsibilities in securing the part of host infrastructure the CSP manages.
• Application Level • Application or software security should be a critical element of your security program. • Designing and implementing applications targeted for deployment on a cloud platform requires application security programs • This discussion only focus towards web application security: • Web applications in the cloud accessed by users with standard Internet browsers, such as Firefox, from any computer connected to the Internet. • Browser has emerged as the end user client for accessing in-cloud applications, • Hence, it is important for application security programs to include browser security into the scope of application security. • Together they determine the strength of end-to-end cloud security that helps protect the confidentiality, integrity, and availability of the information processed by cloud services.
Aspects of Data Security • Security for • 1.Data in transit • 2.Data at rest • 3.Processing of data including multitenancy • 4.Data Lineage • 5.Data Provenance • 6.Data remanance • Solutions include encryption, identity management,sanitation
Provider Data and its Security • how can this data be secured? 1.Data security issues 2.Access control, • Key management for encrypting • Confidentiality (Encryption ), • Integrity (message authentication code MAC & cipher block chaining CBC)and Availability (down time in SLA) are objectives of data security in the cloud
Identity And Access Management Architecture • Support for Identity and Access Management (IAM )features • aid in Authentication, Authorization, and Auditing (AAA) of users accessing cloud services. • Authentication • Process of verifying the identity of a user or system • Authorization • Process of determining the privileges the user is entitled to once the identity is established.
• Auditing • Process of review and examination of authentication, authorization records, and activities • to determine the adequacy of IAM system controls, • to verify compliance with established security policies and procedures, • to detect breaches in security services, and • to recommend any changes that are indicated for countermeasures. • IAM processes to support the business can be broadly categorized as follows: • User management • Activities for the effective governance and management of identity life cycles • Authentication management • Activities for the effective governance and management of the process for determining that an entity is who or what it claims to be • Authorization management • Activities for the effective governance and management of the process
Availability Management • SaaS availability • Customer responsibility: Customer must understand • SLA and communication methods • SaaS health monitoring • PaaS availability • Customer responsibility • ‘PaaS health monitoring • IaaS availability • Customer responsibility • IaaS health monitoring
• Access Control Management in the Cloud • Who should have access and why • How is a resources accessed • How is the access monitored • Impact of access control of SaaS, PaaS and IaaS • Security Vulnerability, Patch and Configuration (VPC) Management • How can security vulnerability, patch and configuration management for • an organization be extended to a cloud environment • What is the impact of VPS on SaaS, PaaS and IaaS

Empfohlen

Cs6703 grid and cloud computing unit 5
Cs6703 grid and cloud computing unit 5Cs6703 grid and cloud computing unit 5
Cs6703 grid and cloud computing unit 5
RMK ENGINEERING COLLEGE, CHENNAI
 
Week 3 lecture material cc
Week 3 lecture material ccWeek 3 lecture material cc
Week 3 lecture material cc
Ankit Gupta
 
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
idescitation
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Security Requirement Specification Model for Cloud Computing Services
Security Requirement Specification Model for Cloud Computing ServicesSecurity Requirement Specification Model for Cloud Computing Services
Security Requirement Specification Model for Cloud Computing Services
Matteo Leonetti
 
Overview of cloud computing architecture service
Overview of cloud computing architecture serviceOverview of cloud computing architecture service
Overview of cloud computing architecture service
eSAT Publishing House
 
Overview of cloud computing architecture
Overview of cloud computing architectureOverview of cloud computing architecture
Overview of cloud computing architecture
eSAT Journals
 
Cloud Infrastructure Mechanisms
Cloud Infrastructure MechanismsCloud Infrastructure Mechanisms
Cloud Infrastructure Mechanisms
Mohammed Sajjad Ali
 

Empfohlen

Cs6703 grid and cloud computing unit 5
Cs6703 grid and cloud computing unit 5Cs6703 grid and cloud computing unit 5
Cs6703 grid and cloud computing unit 5
RMK ENGINEERING COLLEGE, CHENNAI
 
Week 3 lecture material cc
Week 3 lecture material ccWeek 3 lecture material cc
Week 3 lecture material cc
Ankit Gupta
 
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
idescitation
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Security Requirement Specification Model for Cloud Computing Services
Security Requirement Specification Model for Cloud Computing ServicesSecurity Requirement Specification Model for Cloud Computing Services
Security Requirement Specification Model for Cloud Computing Services
Matteo Leonetti
 
Overview of cloud computing architecture service
Overview of cloud computing architecture serviceOverview of cloud computing architecture service
Overview of cloud computing architecture service
eSAT Publishing House
 
Overview of cloud computing architecture
Overview of cloud computing architectureOverview of cloud computing architecture
Overview of cloud computing architecture
eSAT Journals
 
Cloud Infrastructure Mechanisms
Cloud Infrastructure MechanismsCloud Infrastructure Mechanisms
Cloud Infrastructure Mechanisms
Mohammed Sajjad Ali
 
V04405122126
V04405122126V04405122126
V04405122126
IJERA Editor
 
Cloud Management Mechanisms
Cloud Management MechanismsCloud Management Mechanisms
Cloud Management Mechanisms
Mohammed Sajjad Ali
 
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
iosrjce
 
Third Party Cloud Management
Third Party Cloud ManagementThird Party Cloud Management
Third Party Cloud Management
Orchestrate Mortgage and Title Solutions, LLC
 
Unit5 Cloud Federation,
Unit5 Cloud Federation,Unit5 Cloud Federation,
Unit5 Cloud Federation,
Integral university, India
 
Cloud computing it703 unit iii
Cloud computing it703 unit iiiCloud computing it703 unit iii
Cloud computing it703 unit iii
Jitendra s Rathore
 
Cs6703 grid and cloud computing unit 3
Cs6703 grid and cloud computing unit 3Cs6703 grid and cloud computing unit 3
Cs6703 grid and cloud computing unit 3
RMK ENGINEERING COLLEGE, CHENNAI
 
Paper id 27201433
Paper id 27201433Paper id 27201433
Paper id 27201433
IJRAT
 
DOTNET 2013 IEEE CLOUDCOMPUTING PROJECT Collaboration in multicloud computing...
DOTNET 2013 IEEE CLOUDCOMPUTING PROJECT Collaboration in multicloud computing...DOTNET 2013 IEEE CLOUDCOMPUTING PROJECT Collaboration in multicloud computing...
DOTNET 2013 IEEE CLOUDCOMPUTING PROJECT Collaboration in multicloud computing...
IEEEGLOBALSOFTTECHNOLOGIES
 
Collaboration in multicloud computing environments framework and security issues
Collaboration in multicloud computing environments framework and security issuesCollaboration in multicloud computing environments framework and security issues
Collaboration in multicloud computing environments framework and security issues
IEEEFINALYEARPROJECTS
 
Cloud Computing - Introduction
Cloud Computing - IntroductionCloud Computing - Introduction
Cloud Computing - Introduction
Dr. Sunil Kr. Pandey
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud
Privacy Preserving Public Auditing for Data Storage Security in Cloud Privacy Preserving Public Auditing for Data Storage Security in Cloud
Privacy Preserving Public Auditing for Data Storage Security in Cloud
Girish Chandra
 
L04302088092
L04302088092L04302088092
L04302088092
ijceronline
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
Editor IJCATR
 
Cc unit 4 updated version
Cc unit 4 updated versionCc unit 4 updated version
Cc unit 4 updated version
Dr. Radhey Shyam
 
Saas security
Saas securitySaas security
Saas security
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
IJECEIAES
 
iaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocoliaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocol
Iaetsd Iaetsd
 
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTINGPRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
Kayalvizhi Selvaraj
 
Final review presentation
Final review presentationFinal review presentation
Final review presentation
Rahid Abdul Kalam
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
Mark Williams
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 

Weitere ähnliche Inhalte

Was ist angesagt?

Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
iosrjce
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
Editor IJCATR
 
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
IJECEIAES
 
iaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocoliaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocol
Iaetsd Iaetsd
 

Was ist angesagt? (20)

V04405122126
V04405122126V04405122126
V04405122126
 
Cloud Management Mechanisms
Cloud Management MechanismsCloud Management Mechanisms
Cloud Management Mechanisms
 
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
Design & Development of a Trustworthy and Secure Billing System for Cloud Com...
 
Third Party Cloud Management
Third Party Cloud ManagementThird Party Cloud Management
Third Party Cloud Management
 
Unit5 Cloud Federation,
Unit5 Cloud Federation,Unit5 Cloud Federation,
Unit5 Cloud Federation,
 
Cloud computing it703 unit iii
Cloud computing it703 unit iiiCloud computing it703 unit iii
Cloud computing it703 unit iii
 
Cs6703 grid and cloud computing unit 3
Cs6703 grid and cloud computing unit 3Cs6703 grid and cloud computing unit 3
Cs6703 grid and cloud computing unit 3
 
Paper id 27201433
Paper id 27201433Paper id 27201433
Paper id 27201433
 
DOTNET 2013 IEEE CLOUDCOMPUTING PROJECT Collaboration in multicloud computing...
DOTNET 2013 IEEE CLOUDCOMPUTING PROJECT Collaboration in multicloud computing...DOTNET 2013 IEEE CLOUDCOMPUTING PROJECT Collaboration in multicloud computing...
DOTNET 2013 IEEE CLOUDCOMPUTING PROJECT Collaboration in multicloud computing...
 
Collaboration in multicloud computing environments framework and security issues
Collaboration in multicloud computing environments framework and security issuesCollaboration in multicloud computing environments framework and security issues
Collaboration in multicloud computing environments framework and security issues
 
Cloud Computing - Introduction
Cloud Computing - IntroductionCloud Computing - Introduction
Cloud Computing - Introduction
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud
Privacy Preserving Public Auditing for Data Storage Security in Cloud Privacy Preserving Public Auditing for Data Storage Security in Cloud
Privacy Preserving Public Auditing for Data Storage Security in Cloud
 
L04302088092
L04302088092L04302088092
L04302088092
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
 
Cc unit 4 updated version
Cc unit 4 updated versionCc unit 4 updated version
Cc unit 4 updated version
 
Saas security
Saas securitySaas security
Saas security
 
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...
 
iaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocoliaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocol
 
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTINGPRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING
 
Final review presentation
Final review presentationFinal review presentation
Final review presentation
 

Ähnlich wie Unit 5

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 

Ähnlich wie Unit 5 (20)

Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudSecurity Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloud
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Context Based Authentication
Context Based AuthenticationContext Based Authentication
Context Based Authentication
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE project
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cyber Security # Lec 5
Cyber Security # Lec 5Cyber Security # Lec 5
Cyber Security # Lec 5
 
Cloud Cmputing Security
Cloud Cmputing SecurityCloud Cmputing Security
Cloud Cmputing Security
 

Kürzlich hochgeladen

+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
Health
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Call Girls Mumbai
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
HenryBriggs2
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
jaanualu31
 

Kürzlich hochgeladen (20)

+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 

Unit 5

  • 1. UNIT – V UNIT V SECURITY Trust models for Grid security environment –Authentication and Authorization methods – Grid security infrastructure – Cloud Infrastructure security: network, host and application level – aspects of data security, provider data and its security, Identity and access management architecture, IAM practices in the cloud, SaaS, PaaS, IaaS availability in the cloud, Key privacy issues in the cloud.
  • 2. INTRODUCTION • The security is an important factor in planning and maintaining a grid as well as cloud environment. • Secure operations in both the environments requires applications and services to be capable of supporting variety of security functions such as authentication, authorization, credential conversion, auditing and delegation. • Trust – belief in the competence of an entity • 1 – trustworthy • 0 - untrustworthy
  • 3. Trust Models for Grid Security Environment • Security is the important factor which has to be handled carefully. • The lack of security may generate various issues like • Denial of access • Faulty and malicious operations • Network sniffing • Attack provenance • System level vulnerabilities • The domain of grid is very large which span across multiple locations. Therefore trusted and secure end-to-end delivery of grid services is required.
  • 4. • Two parameter used in security assurance condition : TI ≥ SD • A user job demands the resource site to provide security assurance by issuing a security demand (SD). • The site needs to reveal its trustworthiness, called its trust index (TI). • These attributes and their values are dynamically changing and depend heavily on • the trust model, • security policy, • accumulated reputation, • self-defense capability, • attack history and site vulnerability.
  • 5. • Three challenges: • How to integrate new security infrastructure for existing system. • Interoperability between different hosting environment. • Maintaining trust relationship between different hosting sites. • Different trust models: • Conventional trust model • Reputation based trust model • Fuzzy based trust model
  • 6. Conventional trust model Grid resource request Security controller Trustworthiness Interfernce mechanism with aggregation Reputation factors Recommended trust safeguards Response and TAT firewall Utilization rate IDS Success rate IPS Avg slowdown ratio Antivirus
  • 7. Reputation based trust model • In reputation based model, the user sent job to resource site for computation but it will be delivered only if site is trustworthy to fulfill user demand. • assessed according to such factors as intrusion detection, firewall, response capabilities, anti-virus capacity, and so on. • The safeguards are used to protect site itself from various attacks using IDS, IPS, firewalls or antivirus. • A positive experience associated with a site will improve its reputation. • On the contrary, a negative experience with a site will decrease its reputation
  • 8. Fuzzy based trust model • The fuzzy based model is based on Security Demand(SD) and Trust Index(TI) of a site. • two-level fuzzy logic to estimate the aggregation of numerous • trust parameters and security attributes into scalar quantities that are easy to use in the job scheduling and resource mapping process. • TI – 1- high risk 0 – risk free • The fuzzy inference is accomplished through four steps: fuzzification,inference, aggregation, and defuzzification. • SD > TI , the trust model could deduce detailed security features to guide the site security upgrade as a result of tuning the fuzzy system.
  • 9. Authentication and Authorization Methods • Authentication and Authorization methods are the security mechanisms work together to prevent security attacks in grid environment.
  • 10. Authentication Methods • The authentication is a process of checking authenticity of entities using different authentication methods like • Password(User name, Password) • Public key Infrastructure(PKI)(CA) • Kerberos(Session Key)
  • 11. Authorization Methods • The authorization is a process of determining who is allowed to access which shared resources under what condition. • Three types of authorities namely • Attribute Authorities – issue attribute assertions • Policy Authorities – issues authorization policies wrt resources • Identity Authorities – issues certificates using Public key infrastructure (PKI) • Three basic entities • Subject – defines a set of policies determines how its authorization used • Resource – component of the system • Authority – capable of issuing validating and revoking the proofs of subjects of rights
  • 12. Authentication Models 2 1 4 3 Authorization authority Subject Resource 1. Subject push authorization model The user conducts handshake with the authority first and then with the resource site in a sequence.
  • 13. 2. Resource pull authorization model 3 2 • puts the resource in the middle. • The user checks the resource first. Then the resource 1 4 • contacts its authority to verify the request, and the Authority authorizes at step 3. • Finally the resource accepts or rejects the request from the subject at step 4 Authorization authority Resource Subject
  • 14. 3. The agent based authorization model • puts the resource in the middle. • The user checks the resource first. Then the resource • contacts its authority to verify the request, and the authority • authorizes at step 3. Finally the resource accepts or rejects the request from the subject at step 4 1 4 3 2 Subject Resource Authorization authority Authorization agent
  • 15. Grid Security Infrastructure • Grid environment seeks a security infrastructure that meets the following basic requirements. • Easy to use • Meets the VO’s security when working with site policies • An appropriate authentication and encryption for all interactions • GSI also part of globus toolkit and provides basic security services • Message protection • Authentication and delegation • Authorization
  • 16. GSI • Functional Layers of GSI • Transport Level Security of GSI • Message Level Security of GSI • Authentication and Delegation of GSI • Trust Delegation of GSI
  • 17. Functional Layers of GSI • GT4 offers various WS and pre-WS authentication and authorization capabilities. • Four functions are • Message protection • Authentication • Delegation • Authorization
  • 18. Transport Level Security of GSI • TLS is based on SOAP(Simple Object Access Protocol) message passed over a network connection protected by TLS. • TLS is responsible for providing • Integrity protection • Privacy • TLS performs the authentication via •Username •Password
  • 19. Message Level Security of GSI • GSI offers message level security for SOAP messages by implementing the WS – security standard and using the WS – secure conversation specification. • WS – secure conversation specification is a standard proposed from IBM and Microsoft which allows exchange of messages. • Three more protection mechanisms • Integrity protection • Encryption • Replay prevention
  • 20. Authentication and Delegation of GSI • GSI offers both authentication and delegation by using CA and public key. • It also provides through username and password . • GSI certificate contains the following components. • Name of the subject • Public key of the subject • Identify the signature • Digital signature that belongs to the CA
  • 21. Trust Delegation of GSI • GSI offers delegation capability and services through an interface. • This interface allows client to delegate certificate to a service. • The interface is based on WS – Trust specification.
  • 22. Cloud Security infrastructure Network Level • When looking at the network level of infrastructure security • It is important to distinguish between public clouds and private clouds • Four significant risk factors in this use case: • Ensuring the confidentiality and integrity of your organization’s data-in- transit to and from your public cloud provider • Ensuring proper access control (authentication, authorization, and auditing) to whatever resources you are using at your public cloud provider • Ensuring the availability of the Internet-facing resources in a public cloud • that are being used by your organization, or have been assigned to your organization by your public cloud providers • Replacing the established model of network zones and tiers with domains
  • 23. • Host Level • When reviewing host security and assessing risks, • Consider the context of • Cloud services delivery models (SaaS, PaaS, and IaaS) and • Deployment models (public, private, and hybrid). • There are no known new threats to hosts that are specific to cloud computing, virtualization security threats — such as • VM escape, • System configuration drift, and • Insider threats by way of weak access control to the hypervisor • Understand the trust boundary and the responsibilities that fall on you to secure the host infrastructure that you manage. • There are also some providers’ responsibilities in securing the part of host infrastructure the CSP manages.
  • 24. • Application Level • Application or software security should be a critical element of your security program. • Designing and implementing applications targeted for deployment on a cloud platform requires application security programs • This discussion only focus towards web application security: • Web applications in the cloud accessed by users with standard Internet browsers, such as Firefox, from any computer connected to the Internet. • Browser has emerged as the end user client for accessing in-cloud applications, • Hence, it is important for application security programs to include browser security into the scope of application security. • Together they determine the strength of end-to-end cloud security that helps protect the confidentiality, integrity, and availability of the information processed by cloud services.
  • 25. Aspects of Data Security • Security for • 1.Data in transit • 2.Data at rest • 3.Processing of data including multitenancy • 4.Data Lineage • 5.Data Provenance • 6.Data remanance • Solutions include encryption, identity management,sanitation
  • 26. Provider Data and its Security • how can this data be secured? 1.Data security issues 2.Access control, • Key management for encrypting • Confidentiality (Encryption ), • Integrity (message authentication code MAC & cipher block chaining CBC)and Availability (down time in SLA) are objectives of data security in the cloud
  • 27. Identity And Access Management Architecture • Support for Identity and Access Management (IAM )features • aid in Authentication, Authorization, and Auditing (AAA) of users accessing cloud services. • Authentication • Process of verifying the identity of a user or system • Authorization • Process of determining the privileges the user is entitled to once the identity is established.
  • 28. • Auditing • Process of review and examination of authentication, authorization records, and activities • to determine the adequacy of IAM system controls, • to verify compliance with established security policies and procedures, • to detect breaches in security services, and • to recommend any changes that are indicated for countermeasures. • IAM processes to support the business can be broadly categorized as follows: • User management • Activities for the effective governance and management of identity life cycles • Authentication management • Activities for the effective governance and management of the process for determining that an entity is who or what it claims to be • Authorization management • Activities for the effective governance and management of the process
  • 29. Availability Management • SaaS availability • Customer responsibility: Customer must understand • SLA and communication methods • SaaS health monitoring • PaaS availability • Customer responsibility • ‘PaaS health monitoring • IaaS availability • Customer responsibility • IaaS health monitoring
  • 30. • Access Control Management in the Cloud • Who should have access and why • How is a resources accessed • How is the access monitored • Impact of access control of SaaS, PaaS and IaaS • Security Vulnerability, Patch and Configuration (VPC) Management • How can security vulnerability, patch and configuration management for • an organization be extended to a cloud environment • What is the impact of VPS on SaaS, PaaS and IaaS