Security in cloud (and grid) computing Overview

Overview
1. Cloud Computing
1. Definition (Cloud computing)
2. Application (Examples of Application)
3. How cloud computing works
2. Grid Computing
1. Definition (Grid computing)
2. Large scale Application
3. How grid computing works
3. Security in Cloud (and Grid) Computing
1. Threats and Vulnerabilities
2. Counter Measures
3. Points to note and conclusion
11/2014 Dougie T Muringani :- Security 06/11/2014 Dougie T Muringani :- Securitiyn iCnlo uCdl o(aundd G(aridn)d C oGmrpiudt)in Cgomputing) 22

Cloud Computing
Def. - Internet-based
computing, whereby
shared computing
resources, software, and
information are provided
on demand via the internet
06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing) 3

Cloud Computing (Applications and Examples)
Popular Applications and Services
File Processing and Storage (IaaS) Accounting software and services (SaaS)
Application software and Email services Email (Hosted exchange servers) Solutions

Applications ... cont.
• The main idea or goal of cloud computing is separating the
application software from the OS and the OS from the Hardware.
• Also cloud computing enhances the scalability, reliability (Instant
Availability) attributes of a system as well as Remote processing and
Ubiquitous computing.
• For instance Google Drive allows users to store Files “on the
cloud” so that they can be accessed at any time (Instant
any device as long as your provide valid log in credentials. Location
(Ubiquitous computing) does not affect this either.
* Ubiquitous computing (Also known as Pervasive
– Is an advanced computing concept where computing is
everywhere and anywhere.

How CC works
• To get cloud computing to work, you need three things: thin clients,
grid computing, and utility computing.
• Grid computing links disparate computers to form one large
infrastructure, harnessing unused resources.
• Utility computing is paying for what you use on shared servers
pay for a public utility (such as electricity, water, and so on).
• With grid computing, you can provision computing resources as a
utility that can be turned on or off.
• Cloud computing goes one step further with on-demand resource
provisioning.
• This eliminates overprovisioning when used with utility pricing and
removes the need to over-provision in order to meet the demands of
millions of users.

How CC works ... cont.
06/11/2014
Dougie T Muringani :- Security in Cloud (and Grid) Computing)
7
• A consumer can get service from a full computer
infrastructure through the Internet. This type of service
is called Infrastructure as a Service (IaaS). Internet-based
services such as storage and databases are part
of the IaaS.
• Other types of services on the Internet are Platform as a
Service (PaaS) and Software as a Service (SaaS).
• PaaS offers full or partial application development that
can access, while SaaS provides a complete turnkey
application, such as Enterprise Resource Management
through the Internet.

06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid) Computing 8

Cloud Computing Models
• Public Cloud – The Public Cloud allows systems and services
to be easily accessible to general public, e.g., Google,
Amazon, Microsoft offers cloud services via the Internet.
Internet.

Models cont...
• Private Cloud – The Private Cloud allows systems and services to be
accessible with in an organization. The Private Cloud is operated only
within a single organization. However, It may be managed internally or by
or by third-party.

Models cont...
• Hybrid Cloud – The Hybrid Cloud is a mixture of public and
private cloud. Non-critical activities are performed using
using public cloud while the critical activities are performed
performed using private cloud.

Grid Computing
Def. - The term “Grid” refers to systems and
applications that integrate and
manage resources and
services distributed
across multiple
control domains.

Definition (Grid Computing) ...cont.
• Grid computing is a form of distributed computing that
involves coordinating and sharing computing,
application, data and storage or network resources
across dynamic and geographically dispersed
organization.
• The grid can be thought of as a distributed system with
non-interactive workloads that involve a large
number of files.
• Grid computing combines computers from multiple
administrative domains to reach a common goal, to
solve a single task, and may then disappear just as
quickly.

GC (Applications and Examples)
• IBM’s SETI@home ("SETI at home") is an Internet based public
volunteer computing project. SETI is an acronym for the Search for
Extra-Terrestrial Intelligence. Its purpose is to analyse radio signals,
searching for signs of extra terrestrial intelligence, and is one of
many activities undertaken as part of SETI.
• Anybody with an at least intermittently Internet-connected
computer can participate in SETI@home by running a free program
that downloads and analyses radio telescope data.
• The Worldwide LHC Computing Grid (WLCG) is a global
collaboration of computer centres. It was launched in 2002 to
provide a resource to store, distribute and analyse the 15 petabytes
(15 million gigabytes) of data generated every year by the Large
Hadron Collider (LHC).

How Grid computing works
• One of the main strategies of grid computing is to use
middleware to divide and apportion pieces of a
among several computers, sometimes up to as many as
thousands.
• It may also involve the aggregation of large-scale
clusters.
• This technology has been applied to computationally
intensive scientific, mathematical, and academic
through volunteer computing

How GC works ...cont.
Similarities and differences:
Grid and Cloud computing
• Cloud computing and grid computing are scalable.
• CPU and network bandwidth is allocated and de-allocated
on demand.
• The system's storage capacity goes up and down
depending on the number of users, instances, and
the amount of data transferred at a given time.
• While the storage computing in the grid is well
suited for data-intensive storage, it is not
economically suited for storing objects as small as 1
byte. Distributed data must be large for maximum
benefit.

CC vs. GC ...cont.
INCLUDED IN PRESENTATION FOLDER:
Cloud Computing Vs. Grid Computing
Seyyed Mohsen Hashemi, Amid Khatibi Bardsiri (Journal)

Security issues in Cloud
(and Grid) computing
Computer security refers to techniques for
ensuring that data stored in a computer or data
in transit cannot be read or compromised by any
individuals without authorization.
How safe is the
Hcolwo ucadn? we ensure data
security in the cloud?

How safe (and/or reliable) is the
c•loMuosdt c?ompanies or organisations connect their servers to
the internet which essentially makes them as relatively
equally vulnerable as the Cloud. But then most of these
companies do not invest much in security.
• The hosting companies, on the other hand, have security
experts that are actually employed for that particular
task. making the cloud actually safer than local severs,
not to mention the various kinds of physical risks such as
theft, floods, fire or even loss of power.
* Take for instance security on
Facebook or Google Drive

Threats (to data Security in the cloud)
The CSA (Cloud Security Alliance) identified
"The Notorious Nine," the top 9 cloud computing
threats:
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service (DoS)
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Issues
For Time’s sake, only threats
1-6 will be discussed in this
presentation. The rest are
explained in detail in the (Notorious 9)
pdf document included in the
presentation folder.
© 2013, Cloud Security Alliance. All rights reserved.

The Notorious Nine
1.0: Data Breaches
• Organization’s sensitive internal data falls into the hands of
their competitors or Hackers.
• In November 2012, researchers from the University of
North Carolina, the University of Wisconsin and RSA
released a paper describing how a virtual machine could use
side channel timing information to extract private
cryptographic keys being used in other virtual machines on
the same physical server.
• You may be able to encrypt your data to reduce the impact of a data
breach, but if you lose your encryption key, you’ll lose your
dataas well.

The Notorious Nine ...cont. (1)
2.0: Data Loss
• Data stored in the cloud can be lost due to reasons other than
malicious attackers.
• Any accidental deletion by the cloud service provider, or worse,
a physical catastrophe such as a fire or earthquake, could lead to
the permanent loss of customers’ data unless the provider takes
adequate measures to backup data.
• Also, If a customer encrypts his or her data before uploading it to
the cloud, but loses the encryption key, the data will be lost as well.
• Under the new EU data protection rules, data destruction and corruption of
personal data are considered forms ofdata breaches and would require
appropriate notifications.

3.0: Account or Service Traffic Hijacking
• Attack methods such as phishing, fraud, and exploitation of software
vulnerabilities still achieve results.
• With stolen credentials, attackers can often access critical areas of
deployed cloud computing services, allowing them to compromise the
the confidentiality, integrity and availability of those services.

4.0: Insecure Interfaces and APIs
• Cloud computing providers expose a set of software
interfaces or APIs that customers use to manage and interact
with cloud services. Provisioning, management,
orchestration, and monitoring are all performed using these
interfaces.
• The security and availability of general cloud services is
dependent upon the security of these basic APIs. These
must be designed to protect against both accidental and
malicious attempts to circumvent policy.

5.0: Denial of Service
• As a consumer, service outages not only frustrate you, but also
force you to reconsider whether moving your critical data to
the cloud to reduce infrastructure costs was really worthwhile
after all. (The EBay example)
• Since cloud providers often bill clients based on the compute
cycles and disk space they consume, there’s the possibility that
an attacker may not be able to completely knock your service
off of the net, but may still cause it to consume so much
processing time that it becomes too expensive for you to run
and you’ll be forced to take it down yourself.

6.0: Malicious Insiders
• European Council for Nuclear Research (Conseil Européen
pour la Recherche Nucléaire ), CERN defines an insider threat as
such:
• “A malicious insider threat to an organization is a
current or former employee, contractor, or other
partner who has or had authorized access to an
organization's network, system, or data and intentionally
exceeded or misused that access in a manner that
negatively affected the confidentiality, integrity, or
availability (CIA) of the organization's information or
information systems.”

Threats (and Attacks) ...cont.
7.0: Abuse of Cloud Services
8.0: Insufficient Due Diligence
9.0: Shared Technology Issues
These are explained in detail
in the (Notorious 9) pdf
document and on the slide
• Although we only discussed then tootpes 9 threats to cloud
computing, other threats lie in cloud computing. It is from these
threats that attacks are perpetrated. Examples of such attacks
are:
• Replay attacks
• Social engineering
• Sync Flood (DoS)
• Web spoofing

Countermeasures
How can we ensure data security
in the cloud?
Cloud Security Concerns:
• Multitenancy
• Velocity of Attack
• Information Assurance
• Data privacy and ownership
• The Notorious 9 (threats)
• etc...

Countermeasures...cont. (1)
Multitenancy
• Multitenancy basically means offering cloud services to
multiple clients (Tenants)
• The best counter measure to multi-tenancy security issues is
Mutual Client Isolation. That is Isolating the virtual
data itself and the network communication
Velocity of attack
• The security threats amplifies and spread quickly in a cloud.
This is known as Velocity of Attack (VOA)
• The best counter measure to VOA is to adopt more robust
security enforcement mechanisms such as Defence In
Depth (discussed in next slides)

Countermeasures...cont. (2)
Information Assurance and Data ownership
• Information Assurance concerns in cloud computing
involve CIA (Confidentiality, Integrity, Availability),
Authenticity and Authorized use.
• Data ownership concerns are mainly raised by the cloud
owners.
• In cloud computing, data belonging to a client is
maintained by a Cloud Service Provider (CSP) who
has access to it but is not the legitimate owner of the data.
• The best counter measure to these concerns is to use
security enforcement techniques Data encryption,
access control mechanisms, Data Shredding (for
divers) and Identity Management (IM).

Security enforcement (techniques)
Defence In Depth
• It is also known as "Layered approach" to security.
• it is a mechanism which uses multiple security measures, to
reduce the risk of security threats if one component of the
protection gets compromised.
LAYERS
1. Perimeter Security (Physical Security)
2. Remote Access Controls (VPN, Authentication, etc.)
3. Network Security (Firewalls, DMZ, etc.)
*Layer 1-3 protect a system and/or data mainly from
external threats
4. Computer Security ( Antivirus, Hardening, etc.)
5. Storage Security (Encryption, Zoning, etc.)
*The rest of the layers mainly mitigate internal threats

Security enforcement ...cont. (1)
Multiple-Factor Authentication
• This is a technique that was created in the hope of improving the
traditional “username + password” authentication technique. It
employs more (factors) than just a password to gain access to a system
or file.
• Multi-factor authentication:
• 1st factor - what does person know (e.g. Password)
• 2nd factor - what does person have (e.g. Credit Card)
• 3rd factor - who is the user (e.g. Biometric Signature)
• Here access is granted only if all the specified factors are validated

06/11/2014 Dougie T Muringani :- Security in Cloud (and Grid)
Computing)
34
Security enforcement ...cont. (2)
Encryption
• This is the activity of converting data or information
into code or a form that can not e meaningful without
Hsapredceinailn kgnowledge.
• This is a process of changing the default
configurations in order to achieve greater security
Identity Management
• One time Passwords
• Federated Identity management
• OpenID
Intrusion Detection, Role-based access control, etc.

Computing)
35
Conclusion
Summary and Recommendations
• Cloud computing increases Revenue, reduces
operational costs and less risky
• The Pros of Cloud computing are scalability,
transparency and instant availability.
• Although the cloud may seem like it has increased
damage risk of attacks (VOA), it is actually
relatively safe.
• However one must be very careful to understand the
security risks and challenges posed in utilizing these
technologies before using the cloud and choosing a CSP.
• With the evolution of computing it is good to actually embrace
cloud computing.

References
1. Ali Raza Butt et. Al, Grid-computing portals and security issues (2003), Academic
Computing)
37
Press.
2. CLOUD SECURITY ALLIANCE, The Notorious Nine: Cloud Computing Top
Threats in (2013)
3. Neha Mishra1, SECURITY ISSUES IN GRID COMPUTING Volume 4 (2014),
International Journal on Computational Sciences & Applications (IJCSA).
4. Kuyoro S. O., et. Al, Cloud Computing Security Issues and Challenges Volume 3
(2011), International Journal of Computer Networks (IJCN).
5. Seyyed Mohsen Hashemi, Cloud Computing Vs. Grid Computing (2012), ARPN
Journal of Systems and Software (AJSS)
6. http://home.web.cern.ch/about/computing/worldwide-lhc-computing-grid
7. http://www.cnet.com/news/ebay-hacked-requests-all-users-change-passwords/
8. http://www.itpro.co.uk
9. http://www.wikipedia.com

Security in cloud (and grid) computing Overview

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Security in cloud (and grid) computing Overview

Similar to Security in cloud (and grid) computing Overview (20)

Recently uploaded

Recently uploaded (20)

Security in cloud (and grid) computing Overview

Editor's Notes