cloud computing & security issues prepared by: hamoud al-shammari cs 6910 summer, 2011...
TRANSCRIPT
Cloud Computing & Cloud Computing & Security IssuesSecurity Issues
Prepared byPrepared by::Hamoud Al-ShammariHamoud Al-Shammari
CS 6910CS 6910Summer, 2011Summer, 2011
University of Colorado at Colorado SpringsUniversity of Colorado at Colorado SpringsEngineering & Applied ScienceEngineering & Applied Science
2
First PartFirst Part What is Cloud Computing. Layers of Cloud Computing. Technical Security Issues in Cloud
Computing.
Second PartSecond Part What are the problems? Opportunities for Advancement. The Idea of PVI.
7/25/2011 Alshammari/Cloud Security
3
It is a new paradigm for the provision of computing
infrastructure, which shifts the location of this
infrastructure to the network to reduce the costs of
hardware and software resources.
What is Cloud ComputingWhat is Cloud Computing??
7/25/2011 Alshammari/Cloud Security
4
1- Software as a Service.
2- Platform as a Service.
3- Infrastructure as a Service.
Models of Cloud ComputingModels of Cloud Computing
7/25/2011 Alshammari/Cloud Security
5
1- Software as a Service:•Provides users to use the applications online.•Ex: www.zoho.comMail, Writer, Projects … etc.
Models of Cloud Models of Cloud ComputingComputing
7/25/2011 Alshammari/Cloud Security
6
2- Platform as a Service:•To control the hosting environments to specific needs.•Ex: Google App Engine to deploy and dynamically scale Python and Java based web applications.
Models of Cloud Models of Cloud ComputingComputing
7/25/2011 Alshammari/Cloud Security
3- Infrastructure as a Service (IaaS):•Provides basic infrastructure components such as CPU, memory and storage.•Ex: Amazon’s Elastic Compute Cloud (EC2).
Alshammari/Cloud Security 77/25/2011
Models of Cloud Models of Cloud ComputingComputing
87/25/2011 Alshammari/Cloud Security
9
1- Web-Services:
•Provide access to (IaaS)
2- Web-Browsers:
•Provide access to (SaaS)
* Both provide the access
to (PaaS)
Two main technologies are used Two main technologies are used to access these three Cloud to access these three Cloud
services services
7/25/2011 Alshammari/Cloud Security
10
To reduce the costs: (Pay – As – You – Go)
1- To reduce hardware costs (IaaS).
2- To reduce software license costs (SaaS), (PaaS).
To support the Scalable Systems:
To NOT worry about increasing of users and requests.
Why we use Cloud Why we use Cloud ComputingComputing??
7/25/2011 Alshammari/Cloud Security
11
Cloud Security issues focus on:1- Confidentiality.2- Integrity.3- Authentication.
Two places that must be secure in Cloud which are:1- Web-Services (WS).2- Web-Browser (WB).
Some Technical Some Technical Security Issues in Security Issues in Cloud ComputingCloud Computing
7/25/2011 Alshammari/Cloud Security
12
WS-Security: is the security mechanism for web service working in message level.
How to provide Confidentiality, Integrity, and Authentication for messages?1- By using XML signature:For XML fragments to be digitally signed to ensure integrity and authentication.
2- By using XML Encryption:For XML fragments to be encrypted to ensure data confidentiality.
11 - -Web-Service SecurityWeb-Service Security
7/25/2011 Alshammari/Cloud Security
13
The client PC is used for I/O only, and for Authentication and Authorization of commands to the cloud. A client just send a request and wait for the result.
Modern Web-Browser are using AJAX techniques (Asynchronous Java Scripts and XML) to develop platform independent I/O tools.
New names for that techniques (Web Applications, Web 2.0, or SaaS).
22 - -Web-Browser SecurityWeb-Browser Security
7/25/2011 Alshammari/Cloud Security
14
1- Record Layer:Encrypts/Decrypts TCP data stream.
2- TLS Handshake:Used to authenticate the server and the
client.
SSL became the most important cryptographic protocol worldwide, because it is implemented in every web browser.
33 - -Transport Layer Security Transport Layer Security (TLS)(TLS)
OR Secure Sockets Layer OR Secure Sockets Layer (SSL)(SSL)
7/25/2011 Alshammari/Cloud Security
15
Attacker adds his own system to the Cloud system.
To Solve the PROBLEM: Store a hash value in the cloud and compare any
new service or request with the hash value.
WHAT if the attacker can create a valid hash value !!!
44 - -Cloud Malware Injection Cloud Malware Injection AttackAttack
7/25/2011 Alshammari/Cloud Security
16
Attacker sends a huge amount of nonsense requests to a certain service which make the problem by having the data traffic of different time zones operated by the same server.
That cause, the servers will NOT serve the other requests from another users.
To Sole The PROBLEM: Cloud Computing enables a dynamic adaption of
hardware requirements to the actual workload occurring by using Virtual Machines (VM).
55 - -Flooding AttacksFlooding Attacks
7/25/2011 Alshammari/Cloud Security
17
Second PartSecond Part ““What are the What are the
problemsproblems”?”?
7/25/2011 Alshammari/Cloud Security
18
XML Signature Element Wrapping: SOAP messages are generally transmitted through
HTTP protocol with an XML format.
Attacker is able to manipulate a SOAP messages by copying the target element and inserting another value and moving the original element to somewhere on the SOAP message.
What is the problem with Web-What is the problem with Web-ServicesServices??
To Solve The Problem: Using a combination of WS-Security with XML
signature to sign particular element and digital certificated such as X.509.
Create a list of elements that is used in the system, and reject any other messages.
7/25/2011 Alshammari/Cloud Security
19
The web-Browsers are not able to apply WS-Security concepts (XML signature and XML encryption).BECAUSE:1- Data can only be encrypted through (TLS)
which is Transport Layer Security.2- XML signatures are only used within the (TLS)
handshake.
What is the problem with Web-What is the problem with Web-BrowserBrowser??
7/25/2011 Alshammari/Cloud Security
20
The TSL/SSL technique is point-to-point.
Messages will be Encrypted and Decrypted many times in the process. possibility of breaking the security between the browser and
the clouds, and followed by proposal to enhance the current browsers security.
Then, attacker can get the DECRYPTED message and change it !
What is the problem with TSL/SSLWhat is the problem with TSL/SSL??
7/25/2011 Alshammari/Cloud Security
21
1- For the problems in Web-Browsers / SSL
The vendors could create web browsers that apply WS-Security concepts within their web browsers.
The WS-Security works in message level, so it appears to be more suitable than SSL/TLS.
Then, these web browsers are able to use XML Encryption in order to provide end-to-end encryption in SOAP messages.
Opportunities for Opportunities for AdvancementAdvancement
7/25/2011 Alshammari/Cloud Security
22
2- Private Virtual Infrastructure (PVI)
Usually, cloud computing place an organization’s data in the control of a third party.
PVI model is designed to separate the duties between the users and the providers:
1- The PVI datacenter is under control of the information
owner.
2- The cloud fabric is under control of the service provider.
Opportunities for Opportunities for AdvancementAdvancement
7/25/2011 Alshammari/Cloud Security
23
Private Virtual Infrastructure (PVI)
Client CANNOT manipulate the security settings of the fabric.
Client CAN remove, destroy, or lock down their data at any time.
The Service Level Agreement (SLA) between the user and the provider determines the responsibilities of all parties.
In this model Client needs to:
1- Vision into the security settings and configuration of the fabric.
2- Communicate to VPI through virtual private network and all
links should be encrypted with tunnels like SSL.
Opportunities for Opportunities for AdvancementAdvancement
7/25/2011 Alshammari/Cloud Security
24
Private Virtual Infrastructure (PVI)Trusted Computing:
Providers are required to use trusted computing technologies, so organizations can verify their security posture in the cloud and control their information.
The key component here is Trusted Platform Model (TPM) which is a cryptographic component that stores cryptographic keys.
Cryptographic keys can be used to attest the operating state of the platform.
Platform Configuration Registers (PCRs) are places where cryptographic keys are stored in. So, the clients can request the PCRs to verify that the platform they are using meet their policy and configuration requirements.
PROBLEM with TPM: it only works for non-virtualized environment.
Opportunities for Opportunities for AdvancementAdvancement
7/25/2011 Alshammari/Cloud Security
25
Private Virtual Infrastructure (PVI)Trusted Computing:
PROBLEM with TPM: it only works for non-virtualized environment.
Virtual TPM (VTPM): is implemented by providing software instances of TPMs for each virtual machine.
The developers here developed an architecture that secures each VM by coupling a VTPM in its own sub domain called Locator Bot (LoBot).
LoBot allows each VM to be verifiable by its owner and provide secure provisioning and migration of the VM within the cloud as well.
Opportunities for Opportunities for AdvancementAdvancement
7/25/2011 Alshammari/Cloud Security
26
Private Virtual Infrastructure (PVI)Five Tenets of Cloud Computing:1- Trusted Cloud Platform: the provider needs to provide security services
which protect and monitor the fabric.
2- PVI Factory:
- The most sensitive component of PVI.
- It is the root authority for:
- Provisioning.
- VTPM key generation.
- Certificate generation & management.
- Should be under full control of the information owner.
- It serves as the controller and policy decision point for the PVI.
Opportunities for Opportunities for AdvancementAdvancement
7/25/2011 Alshammari/Cloud Security
27
Private Virtual Infrastructure (PVI)3- Measurement and Secure Provisioning:
-Providers must allow clients transparent insight into their infrastructures.
-LoBot can perform the fabric pre-measurement which allows PVI to share the responsibility of security management.
-LoBot is a VM architecture and secure transfer protocol based on VTPM.
4- Secure Shutdown and Data Destruction:
-This process is required to ensure all sensitive data is removed before new processes are allowed to run on it.
-The PROBLEM: the VM do not provide that, so the authors recommended to enclose that on future VM monitors or through LoBot.
Opportunities for Opportunities for AdvancementAdvancement
7/25/2011 Alshammari/Cloud Security
28
Private Virtual Infrastructure (PVI)5- Monitoring and Auditing:
-LoBot can provide continuous monitoring of the cloud environment.
-Clients can provide the auditing process, but with that number of users and amount of information the legal using of the information will be decreased.
-The authors recommend the sharing of auditing responsibilities between the service providers and clients to provide an increased ability for forensic analysis.
-Locator Bot (LoBot) is the authors’ architecture and protocol for secure provisioning and secure migration of virtual machines within an IaaS cloud. LoBot provides many other security features for PVI such as environmental monitoring, tamper detection and secure shutdown.
Opportunities for Opportunities for AdvancementAdvancement
7/25/2011 Alshammari/Cloud Security
Thank Thank youyou
July 25, July 25, 20112011
Cloud Computing & Cloud Computing & Security IssuesSecurity Issues