4. Cloud computing
A model for enabling :
ubiquitous,
convenient,
on-demand network access
to a shared pool of configurable computing resources that can
be rapidly provisioned and released with minimal management.
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
http://en.wikipedia.org/wiki/File:Cloud_computing.svg
5. Service models
Infrastructure as a Service (IaaS).
Platform as a Service (PaaS).
Software as a Service (SaaS).
http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery-models_thumb%25255B4%25255D.png
6. Deployment models
Public cloud.
Provisioned for open use by general public.
Owned, managed and operated by business, academic or
government organization or a combination.
Exists on premises of cloud provider.
Private cloud.
Exclusive use by a single organization with multiple business
units.
Hybrid cloud.
Composition of two or more cloud infrastructures.
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
7. SaaS layer
Software applications which are loaded in a cloud platform made
accessible to consumers from various client devices.
Consumer doesn’t manage or consume underlying cloud infrastructure.
Service App Service App Service App
(SaaS) (SaaS) (SaaS)
Platform Business Service (PaaS)
Tenant
Data Service
Management
System Infrastructure (IaaS)
Hardware Infrastructure (IaaS)
http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=5704104
9. SaaS possible exploits
Two main points of entry into SaaS layer:
User Point of Entry
o Most common point of attack in a SaaS model
Provider Point of Entry
An example query that exploits the vulnerability in most
database servers like PostgresSQL and MySQL, which will grant
the attacker administrator privileges could be:
<?php
// $uid: ' or uid like '%admin%
$query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%';"
;
// $pwd: hehehe', trusted=100, admin='yes
$query = "UPDATE usertable SET pwd='hehehe', trusted=100, admin='yes' WHERE
...;";
?> http://php.net/manual/en/security.database.sql-injection.php
10. SaaS attack types
The most common attacks
associated with SaaS
model in a public cloud
•Denial of Service
infrastructure. Availability •Account lockout
•Buffer-overflow
They are divided into the
•Cross-site scripting
following four groups: Data Security •Access control weakness
•Privilege escalation
•Network Penetration
Network Security •Session Hijacking
•Data Packet Interception
Identity Management •Authentication Weakness
•Insecure Trust
SaaS (Software as a Service) vulnerabilities
11. Recent security breaches
Data breach at Microsoft highlights security problem in
SaaS .
Panda Security hacked by Antisec.
Zero-Day vulnerability found in McAfee’s SaaS products.
12. McAfee Security breach
Zero-Day Vulnerability Found in McAfee’s SaaS Products ( April 2011)
Attacker can execute arbitrary code by exploiting the flaw if victim visits a
malicious page or open the file.
Common Vulnerability Scoring System score it to be 9 out of 10 maximum.
Method will accept commands that are passed to a function that simply
executes them without authentication.
McAfee SaaS includes:
Email Protection (Protection against viruses and spam)
McAfee Integrated Suites (Protection against viruses, web threats,
etc…)
Patch released in August 2011.
http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml
14. Conclusion
Cloud computing models are relatively new and are thus
susceptible to vulnerabilities.
SaaS layer in a public cloud is more vulnerable to attacks due to
access by users.
The type of attacks on SaaS products remain the same but the
intensity of the breach increases.
A number of sercuity criteria needs to be considered while
developing a SaaS application.
Hinweis der Redaktion
Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organizationcomprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloudinfrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).