“cloud computing security” cse 7344 – wildcard smu spring 2010 by gokhan gun [email protected]...
TRANSCRIPT
![Page 2: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/2.jpg)
Brief introduction of Cloud Computing
• Definition: class of the next generation highly scalable distributed computing platform in which computing resources are offered 'as a service' leveraging virtualization and Internet technologies
• Examples: Amazon's Elastic Compute Cloud (EC2) and IBM’s Blue Cloud are examples of cloud computing services
![Page 3: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/3.jpg)
Introduction
• a precise definition is often debated
• The architecture and terminology of cloud computing is as clearly and precisely
defined as, well, a cloud. Since cloud computing is really a culmination of many technologies such as grid computing, utility computing, SOA, Web 2.0, and other technologies
![Page 4: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/4.jpg)
“Cloud computing security”
![Page 5: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/5.jpg)
• The US government projects that between 2010 and 2015, its spending on cloud computing will be at approximately a 40-percent compound annual growth rate and will pass $7 billion by 2015
• Cisco System’s current CEO, John Chambers indicated as “Cloud Computing a security nightmare”.
![Page 6: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/6.jpg)
Cloud Security Issues (I)
• Securing data in “cloud” is difficult
• Security is a particularly critical feature of any SLA
• The SLA is the only legal agreement between the service provider and client
• SLA defines the relationship between two parties: the provider and the recipient
![Page 7: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/7.jpg)
SLA
• Identify and define the customer’s needs
• Provide a framework for understanding
• Simplify complex issues
• Reduce areas of conflict in the event of disputes
• Eliminate unrealistic expectations
![Page 8: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/8.jpg)
Standardization Process
• Privileged user access
• Regulatory compliance
• Data Location
• Data Segregation
• Recovery
• Investigative support
• Long term viability
![Page 9: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/9.jpg)
Questionnaires (SLA needs to answer)
• What happens if the SLA is not met? • Who will check the security of cloud
providers?• How secure is encryption Scheme?• But an even larger question looming like a
dark cloud on the horizon is that of jurisdiction and legal status. Is stuff in the cloud on the same legal footing as stuff in your data center?
![Page 10: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/10.jpg)
Security at different levels
• Server access security
• Internet access security
• Database access security
• Data privacy security
• Program and access security
![Page 11: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/11.jpg)
Questions
• What is Data Security at Physical Layer?
• What is Data Security at Network Layer?
• What about investigation Support?
• How much safe is data from Natural disaster?
• How much trusted is Encryption scheme of Service Provider?
![Page 12: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/12.jpg)
SLA
• the SLA has to discuss about many other issues like security policies, methods and their implementations.
• It also has to discuss what legal actions are taken if the services are misused by the customer
![Page 13: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/13.jpg)
On Technical Security Issues in Cloud Computing (II)
• Cloud computing concept offers dynamically scalable resources
• it promises the reduction of capital expenditure (CapEx) and operational expenditure (OpEx).
![Page 14: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/14.jpg)
Cloud layers
![Page 15: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/15.jpg)
• Amazon’s Elastic Compute Cloud (EC2) is a prominent example for an IaaS offer
• Google’s App Engine is an example of (PaaS)
• The top layer (SaaS) provides it users with ready to use applications
![Page 16: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/16.jpg)
in-depth discussion of security issues in Cloud Computing
• data confidentiality
• Safety
• privacy
![Page 17: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/17.jpg)
• WS-Security- defines a SOAP header (Security) that carries the WS-Security extensions- defines XML security standards like XML signature and encryption that are applied to SOAP messages- XML Encryption defines an Encrypted- Key element for key transportation purposes
![Page 18: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/18.jpg)
![Page 19: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/19.jpg)
• i.e - X.509 certificates
• Additionally WS-Security defines security tokens suitable for transportation of digital identities
![Page 20: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/20.jpg)
TLS – Transport Layer Security
• originally been introduced as Secure Socket Layer (SSL), in 1996 by Netscape
- Record Layer encrypts/decrypts TCP data streams
- keys negotiated in the TLS Handshake - offers many different options for key
agreement encryption and authentication of network peers
![Page 21: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/21.jpg)
Cloud Computing Security Issues
• XML Signature– SOAP relies on XML– Other Application layer protocols
• RPC• HTTP
![Page 22: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/22.jpg)
![Page 23: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/23.jpg)
![Page 24: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/24.jpg)
• Browser Security
• The Legacy Same Origin Policy
• Attacks on Browser-based Cloud Authentication
• Secure Browser-based Authentication
• Future Browser Enhancements– XML Encryption– XML Signature
![Page 25: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/25.jpg)
• Cloud Integrity and Binding Issues
• Metadata Spoofing Attack
• Flooding Attacks
• Direct Denial of Service
• Indirect Denial of Service
• Accounting and Accountability
![Page 26: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/26.jpg)
Conclusion and Future Work
• ongoing issues with application of XML Signature and the Web Services security frameworks
• Browser Security and SaaS
• Binding Issues, PaaS
• Threat of CC, IaaS
![Page 27: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/27.jpg)
Data Security in the World of Cloud Computing (III)
• a tested encryption schema
• stringent access controls to prevent unauthorized access
• scheduled data backup and safe storage
![Page 28: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/28.jpg)
Who Will Use Clouds and Proffer Security?
• users range from individuals and small businesses to Fortune 500 firms and governments
• Who has jurisdiction over data as it flows across borders?
• Can governments access that information as it changes jurisdiction?
• Is there more risk in storing personal personal information in data centers that belong to a single entity rather than in multiple data centers?
• legal decisions will ultimately determine who “owns” the responsibility for securing information shared within clouds
![Page 29: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/29.jpg)
A Layered Security Approach for Cloud Computing Infrastructure
(IV)• a practical security model based on key
security considerations by looking at a number of infrastructure aspects of Cloud Computing
• a proposed shared security approach in system development life cycle focusing on the plan-built-run scope
![Page 30: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/30.jpg)
![Page 31: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/31.jpg)
• required security architecture incorporated firewalls, intrusion detection/prevention systems, antivirus, authentication, authorization, access control, encryption and other services
![Page 32: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/32.jpg)
Dynamic Infrastructure Security Model:
![Page 33: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/33.jpg)
• A well established dynamic security model
• a horizontally and vertically configurable and policy based security approach
• infrastructure scope covered within the domains of network, servers, storage and systems management
![Page 34: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/34.jpg)
Top five cloud computing security issues (V)
• Every breached security system was once thought infallible
• Understand the risks of cloud computing • How cloud hosting companies have approache
d security
• Local law and jurisdiction where data is held • Best practice for companies in the cloud
![Page 35: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/35.jpg)
• SaaS (software as a service) and PaaS (platform as a service) providers all trumpet the robustness of their systems
• Companies need to be vigilant, for instance about how passwords are assigned, protected and changed.
• Open Cloud Manifesto– bring together the emerging cloud computing
community – IBM, Cisco, SAP, EMC etc.
![Page 36: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/36.jpg)
• handful of existing web standards which companies in the cloud should know about
• ISO27001 - designed to provide the foundations for third party audit
• SAS70 - auditing standard is also used by cloud service providers
![Page 37: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/37.jpg)
Best practice for companies in the cloud
• Inquire about exception monitoring systems • Be vigilant around updates and making sure that staff don't
suddenly gain access privileges they're not supposed to. • Ask where the data is kept and inquire as to the details of data
protection laws in the relevant jurisdictions. • Seek an independent security audit of the host • Find out which third parties the company deals with and whether
they are able to access your data • Be careful to develop good policies around passwords; how they are
created, protected and changed. • Look into availability guarantees and penalties. • Find out whether the cloud provider will accommodate your own
security policies
![Page 38: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/38.jpg)
References
• http://www.computer.org/portal/web/csdl/doi/10.1109/SCC.2009.84• http://www.computerweekly.com/Articles/2010/01/12/235782/Top-
five-cloud-computing-security-issues.htm• http://www.computer.org/portal/web/csdl/doi/10.1109/
CLOUD.2009.60• http://www.computer.org/portal/web/csdl/doi/10.1109/MSP.2009.87• http://www.computer.org/portal/web/csdl/abs/html/mags/co/
2007/02/r2045.htm• http://www.nr.no/~abie/security.htm• http://www.export.gov/safeharbor/SH_Overview.asp • http://www.opencloudmanifesto.org/Open%20Cloud
%20Manifesto.pdf
![Page 39: “Cloud Computing Security” CSE 7344 – Wildcard SMU Spring 2010 By Gokhan Gun ggun@ieee.org ggun@smu.edu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649e695503460f94b66dd3/html5/thumbnails/39.jpg)
[1] Confidential @ Gokhan Gun, sections cited are copyrighted © by the authors