CLOUD SERVICES AND SECURITY.Presented by: Jaspreet Kaur

Shipra Kataria

PEC UNIVERSITY OF TECHNOLOGY

Cloud Computing

Cloud computing involves distributed computing over a network, where a program or application may run on many connected computers at the same time.

It has been considered as one of the most promising

solutions to our increasing demand for accessing and

using resources provisioned over the Internet.

The concept of this new trend originated in 1960 was

used by telecommunication companies

A study by Gartner considered Cloud Computing as the first among the top 10 most important technologies.

Cloud computing exhibits the following key characteristics.

a. Broad Network Access

b. Rapid Elasticity

c. Measured Service

d. On demand self service

e. Resource Pooling

Service Delivery Model

Cloud Software as a Service(SaaS): SaaS also referred as "on-demand software" is a software delivery model in which software and associated data are centrally hosted in the cloud.

Cloud Platform as a Service(PaaS): PaaS is a cloud computing

service providing computing platform and solution stack s a service. It

provides capability to consumer to deploy onto the cloud infrastructure.

Cloud Infrastructure as a Service(IaaS): IaaS service model

provides the consumer the efficiency to provision storage, network,

processing and other computing resources

Cloud Deployed models

Public Cloud: In this type of cloud, the cloud infrastructure is

managed by an organization selling cloud services. Various service

providers like Amazon, Microsoft, Google own all infrastructure at

their data centre. Public cloud services may be free or offered on a pay

per-usage model.

Private Cloud: In this type of cloud the infrastructure is available

only to specific customer and placed within the internal data center of

an organization. It is managed either by an organization itself or third

party service provider.

Community Cloud: This type of cloud infrastructure is controlled and shared by various organizations from the same community with common community concerns.

Hybrid Cloud: The cloud infrastructure is a mixture of two or more clouds either public, private or community that are managed centrally and circumscribed by a secure network. It allows multiple entities to access the cloud through Internet in a secure way than public clouds.

NIST Visual Model of cloud computing

Cloud Computing Security ScenarioThe fame of cloud computing is due to the fact that many enterprise

applications and data are moving towards cloud platforms but lack of

security is the major obstacle for cloud adoption.

According to a recent survey by International Data Corporation (IDC)

87.5 % of the masses belonging to varied levels starting from IT

executives to CEOs have said that security is the top most challenge to

be dealt with in every cloud service. Security is the primary concern

and the greatest inhibitor in cloud computing.

VARIOUS THREATS

Threat is a potential cause of an incident, that may result in harm of

systems and organization. Following are the threats that illustrate

possibility of compromising an entire cloud network.

1.Abuse of cloud computing: This threat is related to shortcomings of

registration process associated with cloud. Examples includes

Info Stealer Trojan horses and downloads for Microsoft Office and

Adobe PDF exploits.

2. Insecure interfaces and API: Sometimes in cloud the information

that is not deleted could reside in insecure locations which may cause

inconsistency. Examples including flexible access controls ad improper

authorizations, limited monitoring and logging capabilities

Continued….

3. Data Loss or Leakage: Threats related to data loss or leakage depends upon how data is organized or structured. Following terms that should keep in mind while protecting data from any loss or leakage.

The data of organizations should reside in servers of other nations.

Unauthorized parties must be prevented from gaining access to sensitive data.

The data retained on Cloud provider should reside on provider's server for the same duration even after it has been deleted by client.

Examples are insufficient client authentication, authorization and audit controls (AAA)

Continued..

4. Malevolence: This threat originates due to lack of transparency into

provider's process and procedures. If the factors affecting hiring of new

employee are not considered it may provide opportunity to adversary to

harvest confidential data or gain complete control over the cloud services

with little or no risk of detection.

5. Virtualization threats: It introduces some kind of risks to its applications:

Dependency on Secure Hypervisor: The security can be

breached here as all the information is stored with a common storage

system. By gaining access to this information, adversary can launch

many attacks like VM Hijack attack.

RISKS INVOLVED

Risk is an expose to danger, harm, or loss. Their are certain risks in residing data at providers infrastructure which are as follows:

Shared Access Vulnerabilities Virtual Exploits Authentication, Authorization & Access Control Availability Ownership

Service & Security Offerings and Compliance

Google apps & Google Engine

Amazon Web Services

Google Apps & Google Engine

Google Apps is a service from Google that provides independently customizable versions of several Google products using a domain name provided by the customer.

Features several Web applications with similar functionality including Gmail, Google Calendar, Docs, Drive, Groups, News, Play, Sites, Talk.

Google Apps has passed FISMA certification meaning that they are compliant with federal law for holding data for government agencies.

Google Apps controls & Protocols Logical security Privacy Data center physical security Incident management and availability Change management Organization and administration

Two factor authentication First Step: login using the username and

password. This is an application of the knowledge factor.

Implementation of second step: Phone's IMEI International Mobile

Station Equipement Identity Access to their services is HTTPS

enabled so data can be protected in transit.

Continued…

Data stored on Google’s servers is replicated to several data centers so even a major outage to a data center does not destroy the data.

Google also performs internal audits of their application code, as well as having external audits.

Physical access to data centers is restricted to an as-needed basis and the data centers themselves have network and power redundancies.

Geographical Location

Control Environment

Amazon Web Services abbreviated as AWS is a collection of remote computing services that together make up a cloud computing platform.

Amazon Elastic compute cloud is meant for providing a complete rented computer that can be used by users for its computer utility.

Goal is to protect data against unauthorized systems or users and to provide Amazon EC2 instances

Amazon Elastic Compute Cloud

Multiple levels of security

Host Operating system Guest Operating system Firewall

Services

Well known services are Amazon EC2, S3 and Amazon SimpleDB

Elastic Compute Cloud(EC2): It provides a virtual rented computer with the help of Xen.

Simple Storage Service: It provides storage to various applications so that users can do computations and developments onto that space and store them for further use.

Amazon Virtual Private Cloud: It creates a logically isolated set of Amazon EC2 instances which can be connected to an existing network using a VPN connection.

Hypervisor

It is conceptually one level higher than a supervisory program.

The hypervisor presents to the guest operating systems a virtual operating platform and manages the execution of the guest operating systems.

Multiple instances of a variety of operating systems may share the virtualized hardware resources

Amazon EC2 currently utilizes a highly customized version of the Xen hypervisor, taking advantage of paravirtualization

Instance Isolation

Different instances running on the same physical machine are isolated from each other via the Xen hypervisor.

AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface

All packets must pass through this layer, thus an instances neighbors have no more access to that instance

Instance Isolation

Countermeasures

Authentications and ID Management

Workload analysis and allocation

Use of Data Encryption Better Enterprise

Infrastructure

Conclusion & Future Scope The classification of various threats discussed

in this paper helps the cloud users to make out proper choice and also help cloud providers to handle such threats efficiently.

Various Cloud Providers like Amazon, Google & Windows Azure are liable to users in their services.

The future work done by authors would comprise developing a model to detect and prevent the most common Virtualization related threats various risks.

Please Ask…