security issues in cloud
TRANSCRIPT
BY:-
VIPUL GUPTA
0702913116BY: VIPUL GUPTA
What is CLOUD? Advantages of Cloud Major concerns in Cloud Security Foundations to understand Threats Understanding Threats Government’s role SERVICE LEVEL AGREEMENT Conclusion & Future Work
In June 2009, a study conducted by VersionOne found that 41% of senior IT professionals actually don't know what cloud computing is and two-thirds of senior finance professionals are confused by the concept, highlighting the young nature of the technology
…the idea of relying on Web-based application and storing data in the “CLOUD” of the internet.
The cloud is a smart, complex, powerful
computing system in the sky that people can
just plug into.
It starts with the premise that the data
services and architecture should be on the servers. We call it Cloud Computing – they should be in a
“CLOUD” somewhere
Cloud computing is Web-based processing, whereby shared
resources, software, and information are provided to computers and other devices (such as smartphones) on
demand over the Internet.
“Cloud” is simply a metaphor for the internet
Users do not have or need knowledge, control, ownership in the computer infrastructure
Users simply rent or access the software, paying only for what they use
AuthenticationTrust on vendor data privacy
Defines how to provide integrity, integrity, confidentiality and authenticationconfidentiality and authentication for SOAP messages
Defines a SOAP header (Security) that carries the WS-Security extensions
Defines how existing XML security standards like XML Signature and XML Encryption are applied to SOAP messages
XML Encryption allows XML fragments to be encrypted to ensure data confidentiality The encrypted fragment is replaced by an
EncryptedData element containing the ciphertext of the encrypted fragment as content
XML Encryption defines an Encrypted- Key element for key transportation purposes
WS-Security defines security tokens suitable for transportation of digital identities
Example: X.509 certificates
Also known by the name “ SECURE SOCKET LAYER(SSL)”
Consist of two parts: The Record Layer encrypts/decrypts TCP data
streams using the algorithms and keys negotiated in the TLS Handshake
TLS Handshake :used to authenticate the server and optionally the client
Most important cryptographic protocol worldwide, implemented in every web browser
TLS configuration FAILS for
PHISHING Attacks
A well known type of attacks called:•XML Signature Element Wrapping
Discovered by McIntosh and Austel in 2005 Until 2008, this attacks remained
theoretical and no real-life wrapping attack became public
In 2008 it was discovered that Amazon’s EC2 services was vulnerable to wrapping attacks
Web browsers can not directly make use of XML Signature or XML Encryption: data can only be
encrypted through TLS, and signatures are only used
within the TLS handshake
The Legacy Same Origin Policy: The Legacy Same Origin Policy: Concerned if scripts be allowed/disallowed to runConcerned if scripts be allowed/disallowed to run
Attacks on Browser-based Cloud Authentication: Federated Identity Management (FIM) protocols
• Authentication by THIRD PARTY
National Institute of Standards and Technology (NIST), an agency of the Commerce Department’s
Technology Administration created a cloud computing security group
It promotes “the effective and secure use of the technology within government and industry by providing
technical guidance and promoting standards” NIST has recently released its draft “Guide to
Adopting and Using the Security Content Automation Protocol(SCAP)”
A service level agreement is a document which defines the relationship between two parties: the provider and the recipient
Vendors have to provide some assurance in service level agreements (SLA) to convince the customer
on security issues If used properly it should: • Identify and define the customer’s
needs • Provide a framework for understanding • Simplify complex issues • Reduce areas of conflict
We investigated on going issues with application of XML Signature and the Web Services security frameworks
Discussed the importance and capabilities of browser security in the Cloud Computing context
The threats to Cloud Computing security are numerous, and each of them requires an in-depth analysis on their potential impact and relevance to real-world Cloud Computing scenarios
Future aspect includes strengthening the security capabilities of both Web browsers and Web Service frameworks, at best integrating the latter into the first
To achieve a recognized and actionable security policy, SCAP recommends that organizations demonstrate compliance with security requirements in mandates
such as the US Federal Information Security Management Act (FISMA)
On Technical Security Issues in Cloud Computing, Meiko Jensen, J¨org SchwenkHorst (G¨ortz Institute for IT Security, Ruhr University Bochum, Germany) and Nils Gruschka, Luigi Lo Iacono(NEC Laboratories Europe,NEC Europe Ltd)-IEEE-2009
Lori M. Kaufman, BAE Systems, IEEE-2009 Cloud Security Issue ,Balachandra Reddy
Kandukuri, Ramakrishna Paturi V, Dr. Atanu Rakshit, IEEE-2009
http://csrc.nist.gov/groups/SNS/cloudcomputing/ index.html
QUERIES???QUERIES???