2. Overview
1. Cloud Computing
1. Definition (Cloud computing)
2. Application (Examples of Application)
3. How cloud computing works
2. Grid Computing
1. Definition (Grid computing)
2. Large scale Application
3. How grid computing works
3. Security in Cloud (and Grid) Computing
1. Threats and Vulnerabilities
2. Counter Measures
3. Points to note and conclusion
11/2014 Dougie T Muringani :- Security 06/11/2014 Dougie T Muringani :- Securitiyn iCnlo uCdl o(aundd G(aridn)d C oGmrpiudt)in Cgomputing) 22
3. Cloud Computing
Def. - Internet-based
computing, whereby
shared computing
resources, software, and
information are provided
on demand via the internet
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 3
4. Cloud Computing (Applications and Examples)
Popular Applications and Services
File Processing and Storage (IaaS) Accounting software and services (SaaS)
Application software and Email services Email (Hosted exchange servers) Solutions
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 4
5. Applications ... cont.
• The main idea or goal of cloud computing is separating the
application software from the OS and the OS from the Hardware.
• Also cloud computing enhances the scalability, reliability (Instant
Availability) attributes of a system as well as Remote processing and
Ubiquitous computing.
• For instance Google Drive allows users to store Files “on the
cloud” so that they can be accessed at any time (Instant
any device as long as your provide valid log in credentials. Location
(Ubiquitous computing) does not affect this either.
* Ubiquitous computing (Also known as Pervasive
– Is an advanced computing concept where computing is
everywhere and anywhere.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 5
6. How CC works
• To get cloud computing to work, you need three things: thin clients,
grid computing, and utility computing.
• Grid computing links disparate computers to form one large
infrastructure, harnessing unused resources.
• Utility computing is paying for what you use on shared servers
pay for a public utility (such as electricity, water, and so on).
• With grid computing, you can provision computing resources as a
utility that can be turned on or off.
• Cloud computing goes one step further with on-demand resource
provisioning.
• This eliminates overprovisioning when used with utility pricing and
removes the need to over-provision in order to meet the demands of
millions of users.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 6
7. How CC works ... cont.
06/11/2014
Dougie T Muringani :- Security in Cloud (and Grid) Computing)
7
• A consumer can get service from a full computer
infrastructure through the Internet. This type of service
is called Infrastructure as a Service (IaaS). Internet-based
services such as storage and databases are part
of the IaaS.
• Other types of services on the Internet are Platform as a
Service (PaaS) and Software as a Service (SaaS).
• PaaS offers full or partial application development that
can access, while SaaS provides a complete turnkey
application, such as Enterprise Resource Management
through the Internet.
9. Cloud Computing Models
• Public Cloud – The Public Cloud allows systems and services
to be easily accessible to general public, e.g., Google,
Amazon, Microsoft offers cloud services via the Internet.
Internet.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing 9
10. Models cont...
• Private Cloud – The Private Cloud allows systems and services to be
accessible with in an organization. The Private Cloud is operated only
within a single organization. However, It may be managed internally or by
or by third-party.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing 10
11. Models cont...
• Hybrid Cloud – The Hybrid Cloud is a mixture of public and
private cloud. Non-critical activities are performed using
using public cloud while the critical activities are performed
performed using private cloud.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing 11
12. Grid Computing
Def. - The term “Grid” refers to systems and
applications that integrate and
manage resources and
services distributed
across multiple
control domains.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 12
13. Definition (Grid Computing) ...cont.
• Grid computing is a form of distributed computing that
involves coordinating and sharing computing,
application, data and storage or network resources
across dynamic and geographically dispersed
organization.
• The grid can be thought of as a distributed system with
non-interactive workloads that involve a large
number of files.
• Grid computing combines computers from multiple
administrative domains to reach a common goal, to
solve a single task, and may then disappear just as
quickly.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 13
14. GC (Applications and Examples)
• IBM’s SETI@home ("SETI at home") is an Internet based public
volunteer computing project. SETI is an acronym for the Search for
Extra-Terrestrial Intelligence. Its purpose is to analyse radio signals,
searching for signs of extra terrestrial intelligence, and is one of
many activities undertaken as part of SETI.
• Anybody with an at least intermittently Internet-connected
computer can participate in SETI@home by running a free program
that downloads and analyses radio telescope data.
• The Worldwide LHC Computing Grid (WLCG) is a global
collaboration of computer centres. It was launched in 2002 to
provide a resource to store, distribute and analyse the 15 petabytes
(15 million gigabytes) of data generated every year by the Large
Hadron Collider (LHC).
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 14
15. How Grid computing works
• One of the main strategies of grid computing is to use
middleware to divide and apportion pieces of a
among several computers, sometimes up to as many as
thousands.
• It may also involve the aggregation of large-scale
clusters.
• This technology has been applied to computationally
intensive scientific, mathematical, and academic
through volunteer computing
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 15
16. How GC works ...cont.
Similarities and differences:
Grid and Cloud computing
• Cloud computing and grid computing are scalable.
• CPU and network bandwidth is allocated and de-allocated
on demand.
• The system's storage capacity goes up and down
depending on the number of users, instances, and
the amount of data transferred at a given time.
• While the storage computing in the grid is well
suited for data-intensive storage, it is not
economically suited for storing objects as small as 1
byte. Distributed data must be large for maximum
benefit.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 16
17. CC vs. GC ...cont.
INCLUDED IN PRESENTATION FOLDER:
Cloud Computing Vs. Grid Computing
Seyyed Mohsen Hashemi, Amid Khatibi Bardsiri (Journal)
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 17
18. Security issues in Cloud
(and Grid) computing
Computer security refers to techniques for
ensuring that data stored in a computer or data
in transit cannot be read or compromised by any
individuals without authorization.
How safe is the
Hcolwo ucadn? we ensure data
security in the cloud?
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 18
19. How safe (and/or reliable) is the
c•loMuosdt c?ompanies or organisations connect their servers to
the internet which essentially makes them as relatively
equally vulnerable as the Cloud. But then most of these
companies do not invest much in security.
• The hosting companies, on the other hand, have security
experts that are actually employed for that particular
task. making the cloud actually safer than local severs,
not to mention the various kinds of physical risks such as
theft, floods, fire or even loss of power.
* Take for instance security on
Facebook or Google Drive
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 19
21. The Notorious Nine
1.0: Data Breaches
• Organization’s sensitive internal data falls into the hands of
their competitors or Hackers.
• In November 2012, researchers from the University of
North Carolina, the University of Wisconsin and RSA
released a paper describing how a virtual machine could use
side channel timing information to extract private
cryptographic keys being used in other virtual machines on
the same physical server.
• You may be able to encrypt your data to reduce the impact of a data
breach, but if you lose your encryption key, you’ll lose your
dataas well.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 21
22. The Notorious Nine ...cont. (1)
2.0: Data Loss
• Data stored in the cloud can be lost due to reasons other than
malicious attackers.
• Any accidental deletion by the cloud service provider, or worse,
a physical catastrophe such as a fire or earthquake, could lead to
the permanent loss of customers’ data unless the provider takes
adequate measures to backup data.
• Also, If a customer encrypts his or her data before uploading it to
the cloud, but loses the encryption key, the data will be lost as well.
• Under the new EU data protection rules, data destruction and corruption of
personal data are considered forms ofdata breaches and would require
appropriate notifications.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 22
23. The Notorious Nine ...cont. (2)
3.0: Account or Service Traffic Hijacking
• Attack methods such as phishing, fraud, and exploitation of software
vulnerabilities still achieve results.
• With stolen credentials, attackers can often access critical areas of
deployed cloud computing services, allowing them to compromise the
the confidentiality, integrity and availability of those services.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 23
24. The Notorious Nine ...cont. (3)
4.0: Insecure Interfaces and APIs
• Cloud computing providers expose a set of software
interfaces or APIs that customers use to manage and interact
with cloud services. Provisioning, management,
orchestration, and monitoring are all performed using these
interfaces.
• The security and availability of general cloud services is
dependent upon the security of these basic APIs. These
must be designed to protect against both accidental and
malicious attempts to circumvent policy.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 24
25. The Notorious Nine ...cont. (4)
5.0: Denial of Service
• As a consumer, service outages not only frustrate you, but also
force you to reconsider whether moving your critical data to
the cloud to reduce infrastructure costs was really worthwhile
after all. (The EBay example)
• Since cloud providers often bill clients based on the compute
cycles and disk space they consume, there’s the possibility that
an attacker may not be able to completely knock your service
off of the net, but may still cause it to consume so much
processing time that it becomes too expensive for you to run
and you’ll be forced to take it down yourself.
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 25
26. The Notorious Nine ...cont. (5)
6.0: Malicious Insiders
• European Council for Nuclear Research (Conseil Européen
pour la Recherche Nucléaire ), CERN defines an insider threat as
such:
• “A malicious insider threat to an organization is a
current or former employee, contractor, or other
partner who has or had authorized access to an
organization's network, system, or data and intentionally
exceeded or misused that access in a manner that
negatively affected the confidentiality, integrity, or
availability (CIA) of the organization's information or
information systems.”
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 26
27. Threats (and Attacks) ...cont.
7.0: Abuse of Cloud Services
8.0: Insufficient Due Diligence
9.0: Shared Technology Issues
These are explained in detail
in the (Notorious 9) pdf
document and on the slide
• Although we only discussed then tootpes 9 threats to cloud
computing, other threats lie in cloud computing. It is from these
threats that attacks are perpetrated. Examples of such attacks
are:
• Replay attacks
• Social engineering
• Sync Flood (DoS)
• Web spoofing
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 27
28. Countermeasures
How can we ensure data security
in the cloud?
Cloud Security Concerns:
• Multitenancy
• Velocity of Attack
• Information Assurance
• Data privacy and ownership
• The Notorious 9 (threats)
• etc...
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 28
29. Countermeasures...cont. (1)
Multitenancy
• Multitenancy basically means offering cloud services to
multiple clients (Tenants)
• The best counter measure to multi-tenancy security issues is
Mutual Client Isolation. That is Isolating the virtual
data itself and the network communication
Velocity of attack
• The security threats amplifies and spread quickly in a cloud.
This is known as Velocity of Attack (VOA)
• The best counter measure to VOA is to adopt more robust
security enforcement mechanisms such as Defence In
Depth (discussed in next slides)
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 29
30. Countermeasures...cont. (2)
Information Assurance and Data ownership
• Information Assurance concerns in cloud computing
involve CIA (Confidentiality, Integrity, Availability),
Authenticity and Authorized use.
• Data ownership concerns are mainly raised by the cloud
owners.
• In cloud computing, data belonging to a client is
maintained by a Cloud Service Provider (CSP) who
has access to it but is not the legitimate owner of the data.
• The best counter measure to these concerns is to use
security enforcement techniques Data encryption,
access control mechanisms, Data Shredding (for
divers) and Identity Management (IM).
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 30
31. Security enforcement (techniques)
Defence In Depth
• It is also known as "Layered approach" to security.
• it is a mechanism which uses multiple security measures, to
reduce the risk of security threats if one component of the
protection gets compromised.
LAYERS
1. Perimeter Security (Physical Security)
2. Remote Access Controls (VPN, Authentication, etc.)
3. Network Security (Firewalls, DMZ, etc.)
*Layer 1-3 protect a system and/or data mainly from
external threats
4. Computer Security ( Antivirus, Hardening, etc.)
5. Storage Security (Encryption, Zoning, etc.)
*The rest of the layers mainly mitigate internal threats
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 31
33. Security enforcement ...cont. (1)
Multiple-Factor Authentication
• This is a technique that was created in the hope of improving the
traditional “username + password” authentication technique. It
employs more (factors) than just a password to gain access to a system
or file.
• Multi-factor authentication:
• 1st factor - what does person know (e.g. Password)
• 2nd factor - what does person have (e.g. Credit Card)
• 3rd factor - who is the user (e.g. Biometric Signature)
• Here access is granted only if all the specified factors are validated
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 33
34. 06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid)
Computing)
34
Security enforcement ...cont. (2)
Encryption
• This is the activity of converting data or information
into code or a form that can not e meaningful without
Hsapredceinailn kgnowledge.
• This is a process of changing the default
configurations in order to achieve greater security
Identity Management
• One time Passwords
• Federated Identity management
• OpenID
Intrusion Detection, Role-based access control, etc.
35. 06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid)
Computing)
35
Conclusion
Summary and Recommendations
• Cloud computing increases Revenue, reduces
operational costs and less risky
• The Pros of Cloud computing are scalability,
transparency and instant availability.
• Although the cloud may seem like it has increased
damage risk of attacks (VOA), it is actually
relatively safe.
• However one must be very careful to understand the
security risks and challenges posed in utilizing these
technologies before using the cloud and choosing a CSP.
• With the evolution of computing it is good to actually embrace
cloud computing.
37. References
1. Ali Raza Butt et. Al, Grid-computing portals and security issues (2003), Academic
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid)
Computing)
37
Press.
2. CLOUD SECURITY ALLIANCE, The Notorious Nine: Cloud Computing Top
Threats in (2013)
3. Neha Mishra1, SECURITY ISSUES IN GRID COMPUTING Volume 4 (2014),
International Journal on Computational Sciences & Applications (IJCSA).
4. Kuyoro S. O., et. Al, Cloud Computing Security Issues and Challenges Volume 3
(2011), International Journal of Computer Networks (IJCN).
5. Seyyed Mohsen Hashemi, Cloud Computing Vs. Grid Computing (2012), ARPN
Journal of Systems and Software (AJSS)
6. http://home.web.cern.ch/about/computing/worldwide-lhc-computing-grid
7. http://www.cnet.com/news/ebay-hacked-requests-all-users-change-passwords/
8. http://www.itpro.co.uk
9. http://www.wikipedia.com
Editor's Notes
What is Cloud?
The term Cloud refers to a Network or Internet. In other words, we can say that Cloud is something, which is present at remote location. Cloud can provide services over network, i.e., on public networks or on private networks, i.e., WAN, LAN or VPN. Applications such as e-mail, web conferencing, customer relationship management (CRM),all run in cloud.
What is Cloud Computing?
Cloud Computing refers to manipulating, configuring, and accessing the applications online. It offers online data storage, infrastructure and application.
Basic Concepts
There are certain services and models working behind the scene making the cloud computing feasible and accessible to end users. Following are the working models for cloud computing:
Deployment Models
Service Models
DEPLOYMENT MODELS
Deployment models define the type of access to the cloud, i.e., how the cloud is located? Cloud can have any of the four types of access: Public, Private, Hybrid and Community.
SERVICE MODELS
Service Models are the reference models on which the Cloud Computing is based. These can be categorized into three basic service models as listed below:
1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Software as a Service (SaaS)
There are many other service models all of which can take the form like XaaS, i.e., Anything as a Service. This can be Network as a Service, Business as a Service, Identity as a Service, Database as a Service or Strategy as a Service.
IaaS - provides access to fundamental resources such as physical machines, virtual machines, virtual storage, etc., Apart from these resources, the IaaS also offers:
Virtual machine disk storage
Virtual local area network (VLANs)
Load balancers
IP addresses
Software bundles
All of the above resources are made available to end user via server virtualization. Moreover, these resources are accessed by the customers as if they own them.
PaaS - offers the runtime environment for applications. It also offers development & deployment tools, required to develop applications. PaaS has a feature of point-and-click tools that enables non-developers to create web applications. Google's App Engine, Force.com are examples of PaaS offering vendors. Developer may log on to these websites and use the built-in API to create web-based applications. But the disadvantage of using PaaS is that the developer lock-in with a particular vendor. For example, an application written in Python against Google's API using Google's App Engine is likely to work only in that environment. Therefore, the vendor lock-in is the biggest problem in PaaS. The following diagram shows how PaaS offers an API and development tools to the developers and how it helps the end user to access business applications.
Software as a Service (SaaS ) - allows to provide software application as a service to the end users. It refers to a software that is deployed on a hosted service and is accessible via Internet. There are several SaaS applications, some of them are listed below:
Billing and Invoicing System
Customer Relationship Management (CRM) applications
Help Desk Applications
Human Resource (HR) Solutions
Some of the SaaS applications are not customizable such as an Office Suite. But SaaS provides us Application Programming Interface (API), which allows the developer to develop a customized application.
Characteristics
Here are the characteristics of SaaS service model:
SaaS makes the software available over the Internet.
The Software are maintained by the vendor rather than where they are running.
The license to the software may be subscription based or usage based. And it is billed on recurring basis.
SaaS applications are cost effective since they do not require any maintenance at end user side.
They are available on demand.
They can be scaled up or down on demand.
They are automatically upgraded and updated.
SaaS offers share data model. Therefore, multiple users can share single instance of infrastructure. It is not required to hard code the functionality for individual users.
All users are running same version of the software.
Benefits
There are many benefits of deploying cloud as public cloud model. The following diagram shows some of those benefits:
COST EFFECTIVE
Since public cloud share same resources with large number of consumer, it has low cost.
RELIABILITY
Since public cloud employs large number of resources from different locations, if any of the resource fail, public cloud can employ another one.
FLEXIBILITY
It is also very easy to integrate public cloud with private cloud, hence gives consumers a flexible approach.
LOCATION INDEPENDENCE
Since, public cloud services are delivered through Internet, therefore ensures location independence.
UTILITY STYLE COSTING
Public cloud is also based on pay-per-use model and resources are accessible whenever consumer needs it.
HIGH SCALABILITY
Cloud resources are made available on demand from a pool of resources, i.e., they can be scaled up or down according the requirement.
Disadvantages
Here are the disadvantages of public cloud model:
LOW SECURITY
In public cloud model, data is hosted off-site and resources are shared publicly, therefore does not ensure higher level of security.
LESS CUSTOMIZABLE
It is comparatively less customizable than private cloud.
Benefits
There are many benefits of deploying cloud as private cloud model. The following diagram shows some of those benefits:
HIGHER SECURITY AND PRIVACY
Private cloud operations are not available to general public and resources are shared from distinct pool of resources, therefore, ensures high security and privacy.
MORE CONTROL
Private clouds have more control on its resources and hardware than public cloud because it is accessed only within an organization.
COST AND ENERGY EFFICIENCY
Private cloud resources are not as cost effective as public clouds but they offer more efficiency than public cloud.
Disadvantages
Here are the disadvantages of using private cloud model:
RESTRICTED AREA
Private cloud is only accessible locally and is very difficult to deploy globally.
INFLEXIBLE PRICING
In order to full-fill demand, purchasing new hardware is very costly.
LIMITED SCALABILITY
Private cloud can be scaled only within capacity of internal hosted resources.
Benefits
There are many benefits of deploying cloud as hybrid cloud model. The following diagram shows some of those benefits:
SCALABILITY
It offers both features of public cloud scalability and private cloud scalability.
FLEXIBILITY
It offers both secure resources and scalable public resources.
COST EFFICIENCIES
Public cloud are more cost effective than private, therefore hybrid cloud can have this saving.
SECURITY
Private cloud in hybrid cloud ensures higher degree of security.
Disadvantages
NETWORKING ISSUES
Networking becomes complex due to presence of private and public cloud.
SECURITY COMPLIANCE
It is necessary to ensure that cloud services are compliant with organization's security policies.
This technology has been applied to computationally intensive scientific, mathematical, and academic problems through volunteer computing, and it is used in commercial enterprises for such diverse applications as
drug discovery,
economic forecasting,
seismic analysis, and
back office data processing
This technology has also been applied in support for e-commerce and Web services.
More Similarities and differences
Both computing types involve multitenancy and multitask, meaning that many customers can perform different tasks, accessing a single or multiple application instances.
Sharing resources among a large pool of users assists in reducing infrastructure costs and peak load capacity.
Cloud and grid computing provide service-level agreements (SLAs) for guaranteed uptime availability of, say, 99 percent.
Security in cloud computing - is a major concern. Data in cloud should be stored in encrypted form. To restrict client from direct accessing the shared data, proxy and brokerage services should be employed.
Security Planning
Before deploying a particular resource to cloud, one should need to analyze several attributes about the resource such as:
Select which resources he is going to move to cloud and analyze its sensitivity to risk.
Consider cloud service models such as IaaS, PaaS, and SaaS. These models require consumer to be responsible for security at different levels of service.
Consider which cloud type such as public, private, community or hybrid.
Understand the cloud service provider's system that how data is transferred, where it is stored and how to move data into and out of cloud.
Mainly the risk in cloud deployment depends upon the service models and cloud types.
Understanding Security of Cloud
SECURITY BOUNDARIES
A particular service model defines the boundary between the responsibilities of service provider and consumer. Cloud Security Alliance (CSA) stack model defines the boundaries between each service model and shows how different functional units relate to each other.
On Sunday (15/09/14) morning EBay Buyers and sellers were unable to login to their accounts all morning, and many were unable to even access the eBay homepage. Those trying to reach eBay customer service for assistance found that was also down.
A hacker, going by the name Darwinare, posted usernames, contacts details and home address of 628 people on text-sharing website Pastebin on
Saturday (14/09/14), claiming they belonged to Amazon customers.
To identify the top threats, CSA conducted a survey of industry experts to compile professional opinion on the greatest vulnerabilities within cloud computing. The Top Threats working group used these survey results alongside their expertise to craft the final 2013 report.
The survey methodology validated that the threat listing reflects the most current concerns of the industry. In this most recent edition of this report, experts identified the above listed nine critical threats to cloud security (ranked in order of severity).
1.1 Implications
Unfortunately, while data loss and data leakage are both serious threats to cloud computing, the measures you put in place to mitigate one of these threats can exacerbate the other. You may be able to encrypt your data to reduce the impact of a data breach, but if you lose your encryption key, you’ll lose your data as well. Conversely, you may decide to keep offline backups of your data to reduce the impact of a catastrophic data loss, but this increases your exposure to data breaches.
1.2 Controls
CCM DG-04: Data Governance - Retention Policy
CCM DG-05: Data Governance - Secure Disposal
CCM DG-06: Data Governance - Non-Production Data
CCM DG-07: Data Governance - Information Leakage
CCM DG-08: Data Governance - Risk Assessments
CCM IS-18: Information Security - Encryption
CCM IS-19: Information Security - Encryption Key Management
CCM SA-02: Security Architecture - User ID Credentials
CCM SA-03: Security Architecture - Data Security/Integrity
CCM SA-06: Security Architecture - Production/Non-Production Environments
CCM SA-07: Security Architecture - Remote User Multi-Factor Authentication
Under the new EU data protection rules, data destruction and corruption of personal data are considered forms of data breaches and would require appropriate notifications.
Additionally, many compliance policies require organizations to retain audit records or other documentation. If an organization stores this data in the cloud, loss of that data could jeopardize the organization’s compliance status.
2.2 Controls
CCM DG-04: Data Governance - Retention Policy
CCM DG-08: Data Governance - Risk Assessments
CCM RS-05: Resiliency - Environmental Risks
CCM RS-06: Resiliency - Equipment Location
2.3 Links
1. Cloud Computing Users Are Losing Data, Symantec Finds
http://news.investors.com/technology/011613-640851-cloud-computing-data-loss-high-in-symantec-study.htm
2. Kill the Password: Why a String of Characters Can’t Protect Us Anymore
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/
In April 2010, Amazon experienced a Cross-Site Scripting (XSS) bug that allowed attackers to hijack credentials from the site.
3.1 Implications
Account and service hijacking, usually with stolen credentials, remains a top threat. With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity and availability of those services. Organizations should be aware of these techniques as well as common defence in depth protection strategies to contain the damage (and possible litigation) resulting from a breach. Organizations should look to prohibit the sharing of account credentials between users and services, and leverage strong two-factor authentication techniques where possible.
3.2 Controls
CCM IS-07: Information Security - User Access Policy
CCM IS-08: Information Security - User Access Restriction/Authorization
CCM IS-09: Information Security - User Access Revocation
CCM IS-10: Information Security - User Access Reviews
CCM IS-22: Information Security - Incident Management
CCM SA-02: Security Architecture - User ID Credentials
CCM SA-07: Security Architecture - Remote User Multi-Factor Authentication
CCM SA-14: Security Architecture - Audit Logging / Intrusion Detection
3.3 Links
1. Amazon purges account hijacking threat from site
http://www.theregister.co.uk/2010/04/20/amazon_website_treat/
Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability.
4.1 Implications
While most providers strive to ensure security is well integrated into their service models, it is critical for consumers of those services to understand the security implications associated with the usage, management, orchestration and monitoring of cloud services. Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability.
4.2 Controls
CCM IS-08: Information Security - User Access Restriction/Authorization
CCM SA-03: Security Architecture - Data Security/Integrity
CCM SA-04: Security Architecture - Application Security
4.3 Links
1. Insecure API Implementations Threaten Cloud
http://www.darkreading.com/cloud-security/167901092/security/application-security/232900809/insecure-api-implementations-threaten-cloud.html
2. Web Services Single Sign-On Contains Big Flaws
http://www.darkreading.com/authentication/167901072/security/news/232602844/web-services-single-sign-on-contain-big-flaws.html
5.1 Implications
Experiencing a denial-of-service attack is like being caught in rush-hour traffic gridlock: there’s no way to get to your destination, and nothing you can do about it except sit and wait. As a consumer, service outages not only frustrate you, but also force you to reconsider whether moving your critical data to the cloud to reduce infrastructure costs was really worthwhile after all. Even worse, since cloud providers often bill clients based on the compute cycles and disk space they consume, there’s the possibility that an attacker may not be able to completely knock your service off of the net, but may still cause it to consume so much processing time that it becomes too expensive for you to run and you’ll be forced to take it down yourself.
5.2 Controls
CCM IS-04: Information Security - Baseline Requirements
CCM OP-03: Operations Management - Capacity/Resource Planning
CCM RS-07: Resiliency - Equipment Power Failures
CCM SA-04: Security Architecture - Application Security
5.3 Links
1. As Cloud Use Grows, So Will Rate of DDoS Attacks
http://www.infoworld.com/d/cloud-computing/cloud-use-grows-so-will-rate-of-ddos-attacks-211876
6.1 Implications
A malicious insider, such as a system administrator, in an improperly designed cloud scenario can have access to potentially sensitive information.
From IaaS to PaaS and SaaS, the malicious insider has increasing levels of access to more critical systems, and eventually to data. Systems that depend solely on the cloud service provider (CSP) for security are at great risk here. Even if encryption is implemented, if the keys are not kept with the customer and are only available at data-usage time, the system is still vulnerable to malicious insider attack.
6.2 Controls
CCM CO-03: Compliance - Third Party Audits
CCM DG-01: Data Governance - Ownership / Stewardship
CCM DG-03: Data Governance - Handling / Labeling / Security Policy
CCM DG-07: Data Governance - Information Leakage
CCM FS-02: Facility Security - User Access
CCM FS-05: Facility Security - Unauthorized Persons Entry
CCM FS-06: Facility Security - Off-Site Authorization
CCM HR-01: Human Resources Security - Background Screening
CCM IS-06: Information Security - Policy Enforcement
CCM IS-08: Information Security - User Access Restriction / Authorization
CCM IS-10: Information Security - User Access Reviews
CCM IS-13: Information Security - Roles / Responsibilities
CCM IS-15: Information Security - Segregation of Duties
CCM IS-18: Information Security - Encryption
Basically – A Threat is something that is a source of danger and an Attack is taking the initiative and going on the offensive.
In this case a Security Attack is any action that compromises the security of information (i.e. stored or in transit).
7.0 Top Threat: Abuse of Cloud Services
One of cloud computing’s greatest benefits is that it allows even small organizations access to vast amounts of computing power. It would be difficult for most organizations to purchase and maintain tens of thousands of servers, but renting time on tens of thousands of servers from a cloud computing provider is much more affordable. However, not everyone wants to use this power for good. It might take an attacker years to crack an encryption key using his own limited hardware, but using an array of cloud servers, he might be able to crack it in minutes. Alternately, he might use that array of cloud servers to stage a DDoS attack, serve malware or distribute pirated software.
8.0 Top Threat: Insufficient Due Diligence
Cloud computing has brought with it a gold rush of sorts, with many organizations rushing into the promise of cost reductions, operational efficiencies and improved security. While these can be realistic goals for organizations that have the resources to adopt cloud technologies properly, too many enterprises jump into the cloud without understanding the full scope of the undertaking.
Without a complete understanding of the CSP environment, applications or services being pushed to the cloud, and operational responsibilities such as incident response, encryption, and security monitoring, organizations are taking on unknown levels of risk in ways they may not even comprehend, but that are a far departure from their current risks.
9.0 Top Threat: Shared Technology Vulnerabilities
Cloud service providers deliver their services in a scalable way by sharing infrastructure, platforms, and applications. Whether it’s the underlying components that make up this infrastructure (e.g. CPU caches, GPUs, etc.) that were not designed to offer strong isolation properties for a multi-tenant architecture (IaaS), re-deployable platforms (PaaS), or multi-customer applications (SaaS), the threat of shared vulnerabilities exists in all delivery models. A defensive in-depth strategy is recommended and should include compute, storage, network, application and user security enforcement, and monitoring, whether the service model is IaaS, PaaS, or SaaS. The key is that a single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud.
In November 2012, researchers from the University of North Carolina, the University of Wisconsin and RSA Corporation released a paper describing how a virtual machine could use side channel timing information to extract private cryptographic keys being used in other virtual machines on the same physical server.
* This list of countermeasures is not exhaustive. In the next slides we discuss some of the various security enforcement techniques used to address issues in cloud computing
The number of Layers vary with the system and environment in which the mechanism is being implemented. The diagram in the next slide uses 7 slides and is suitable in cloud environments.
One time Passwords – Every new access request requires new password.
Federated Identity management – organisations authenticate users using a chosen identity provider. (e.g. “Securico” uses The police fingerprint database)
OpenID – An open standard for decentralized authentication and access control.
It seems as if there is only one way (A world of cloud computing-IT) that the world is going, with the introduction of technology such as the internet of things and SaaS.
Adobe is moving all its products to the cloud (SaaS) such that instead of buying a product installation disc and installing it on a PC, the clients just buy a subscription and do not have to install anything.
This brings about the need for people to know about security in cloud and grid computing.
Cloud computing increases Revenue (for businesses), reduces operational costs (through Utility computing) and less risky (because of the various
security mechanisms implemented).
The Pros of Cloud computing are scalability, transparency
and instant availability.
Although the cloud may seem like it has increased damage risk of
attacks (VOA), it is actually relatively safe.
However one must be very careful to understand the security risks and challenges posed in utilizing these technologies before using the cloud and choosing a CSP.
With the evolution of computing it is good to actually embrace cloud computing.