Upload
jas-preet
View
84
Download
2
Embed Size (px)
Citation preview
CLOUD SERVICES AND SECURITY.Presented by: Jaspreet Kaur
Shipra Kataria
PEC UNIVERSITY OF TECHNOLOGY
Cloud Computing
Cloud computing involves distributed computing over a network, where a program or application may run on many connected computers at the same time.
It has been considered as one of the most promising
solutions to our increasing demand for accessing and
using resources provisioned over the Internet.
The concept of this new trend originated in 1960 was
used by telecommunication companies
A study by Gartner considered Cloud Computing as the first among the top 10 most important technologies.
Cloud computing exhibits the following key characteristics.
a. Broad Network Access
b. Rapid Elasticity
c. Measured Service
d. On demand self service
e. Resource Pooling
Service Delivery Model
Cloud Software as a Service(SaaS): SaaS also referred as "on-demand software" is a software delivery model in which software and associated data are centrally hosted in the cloud.
Cloud Platform as a Service(PaaS): PaaS is a cloud computing
service providing computing platform and solution stack s a service. It
provides capability to consumer to deploy onto the cloud infrastructure.
Cloud Infrastructure as a Service(IaaS): IaaS service model
provides the consumer the efficiency to provision storage, network,
processing and other computing resources
Cloud Deployed models
Public Cloud: In this type of cloud, the cloud infrastructure is
managed by an organization selling cloud services. Various service
providers like Amazon, Microsoft, Google own all infrastructure at
their data centre. Public cloud services may be free or offered on a pay
per-usage model.
Private Cloud: In this type of cloud the infrastructure is available
only to specific customer and placed within the internal data center of
an organization. It is managed either by an organization itself or third
party service provider.
Community Cloud: This type of cloud infrastructure is controlled and shared by various organizations from the same community with common community concerns.
Hybrid Cloud: The cloud infrastructure is a mixture of two or more clouds either public, private or community that are managed centrally and circumscribed by a secure network. It allows multiple entities to access the cloud through Internet in a secure way than public clouds.
NIST Visual Model of cloud computing
Cloud Computing Security ScenarioThe fame of cloud computing is due to the fact that many enterprise
applications and data are moving towards cloud platforms but lack of
security is the major obstacle for cloud adoption.
According to a recent survey by International Data Corporation (IDC)
87.5 % of the masses belonging to varied levels starting from IT
executives to CEOs have said that security is the top most challenge to
be dealt with in every cloud service. Security is the primary concern
and the greatest inhibitor in cloud computing.
VARIOUS THREATS
Threat is a potential cause of an incident, that may result in harm of
systems and organization. Following are the threats that illustrate
possibility of compromising an entire cloud network.
1.Abuse of cloud computing: This threat is related to shortcomings of
registration process associated with cloud. Examples includes
Info Stealer Trojan horses and downloads for Microsoft Office and
Adobe PDF exploits.
2. Insecure interfaces and API: Sometimes in cloud the information
that is not deleted could reside in insecure locations which may cause
inconsistency. Examples including flexible access controls ad improper
authorizations, limited monitoring and logging capabilities
Continued….
3. Data Loss or Leakage: Threats related to data loss or leakage depends upon how data is organized or structured. Following terms that should keep in mind while protecting data from any loss or leakage.
The data of organizations should reside in servers of other nations.
Unauthorized parties must be prevented from gaining access to sensitive data.
The data retained on Cloud provider should reside on provider's server for the same duration even after it has been deleted by client.
Examples are insufficient client authentication, authorization and audit controls (AAA)
Continued..
4. Malevolence: This threat originates due to lack of transparency into
provider's process and procedures. If the factors affecting hiring of new
employee are not considered it may provide opportunity to adversary to
harvest confidential data or gain complete control over the cloud services
with little or no risk of detection.
5. Virtualization threats: It introduces some kind of risks to its applications:
Dependency on Secure Hypervisor: The security can be
breached here as all the information is stored with a common storage
system. By gaining access to this information, adversary can launch
many attacks like VM Hijack attack.
RISKS INVOLVED
Risk is an expose to danger, harm, or loss. Their are certain risks in residing data at providers infrastructure which are as follows:
Shared Access Vulnerabilities Virtual Exploits Authentication, Authorization & Access Control Availability Ownership
Service & Security Offerings and Compliance
Google apps & Google Engine
Amazon Web Services
Google Apps & Google Engine
Google Apps is a service from Google that provides independently customizable versions of several Google products using a domain name provided by the customer.
Features several Web applications with similar functionality including Gmail, Google Calendar, Docs, Drive, Groups, News, Play, Sites, Talk.
Google Apps has passed FISMA certification meaning that they are compliant with federal law for holding data for government agencies.
Google Apps controls & Protocols Logical security Privacy Data center physical security Incident management and availability Change management Organization and administration
Two factor authentication First Step: login using the username and
password. This is an application of the knowledge factor.
Implementation of second step: Phone's IMEI International Mobile
Station Equipement Identity Access to their services is HTTPS
enabled so data can be protected in transit.
Continued…
Data stored on Google’s servers is replicated to several data centers so even a major outage to a data center does not destroy the data.
Google also performs internal audits of their application code, as well as having external audits.
Physical access to data centers is restricted to an as-needed basis and the data centers themselves have network and power redundancies.
Geographical Location
Control Environment
Amazon Web Services abbreviated as AWS is a collection of remote computing services that together make up a cloud computing platform.
Amazon Elastic compute cloud is meant for providing a complete rented computer that can be used by users for its computer utility.
Goal is to protect data against unauthorized systems or users and to provide Amazon EC2 instances
Amazon Elastic Compute Cloud
Multiple levels of security
Host Operating system Guest Operating system Firewall
Services
Well known services are Amazon EC2, S3 and Amazon SimpleDB
Elastic Compute Cloud(EC2): It provides a virtual rented computer with the help of Xen.
Simple Storage Service: It provides storage to various applications so that users can do computations and developments onto that space and store them for further use.
Amazon Virtual Private Cloud: It creates a logically isolated set of Amazon EC2 instances which can be connected to an existing network using a VPN connection.
Hypervisor
It is conceptually one level higher than a supervisory program.
The hypervisor presents to the guest operating systems a virtual operating platform and manages the execution of the guest operating systems.
Multiple instances of a variety of operating systems may share the virtualized hardware resources
Amazon EC2 currently utilizes a highly customized version of the Xen hypervisor, taking advantage of paravirtualization
Instance Isolation
Different instances running on the same physical machine are isolated from each other via the Xen hypervisor.
AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface
All packets must pass through this layer, thus an instances neighbors have no more access to that instance
Instance Isolation
Countermeasures
Authentications and ID Management
Workload analysis and allocation
Use of Data Encryption Better Enterprise
Infrastructure
Conclusion & Future Scope The classification of various threats discussed
in this paper helps the cloud users to make out proper choice and also help cloud providers to handle such threats efficiently.
Various Cloud Providers like Amazon, Google & Windows Azure are liable to users in their services.
The future work done by authors would comprise developing a model to detect and prevent the most common Virtualization related threats various risks.
Please Ask…