Académique Documents
Professionnel Documents
Culture Documents
Thread:Securitythreatsincloudcomputingandpreventive...
F Search r
Thread:Securitythreatsincloudcomputingand
preventivemethods.
Refresh
ExpandAll CollapseAll
11PostsinthisThread 0Unread
7daysago
ShankarHariPrasai
Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
Background
CloudcomputingisInnovativemodel,conceptandtechnology
incomputingfieldthatenableubiquitous,convenient,ondemandnetwork
accesstousesharedpoolofcomputingresourcessuchasnetwork,
storage,application,serverandservices,canbedeployed,extendand
releasedeasilywith/withoutthesupportofserviceprovider,chargeasper
useofit
Fig:Cloudcomputing(source:www.pcmag.com)
Therearethreeservicemodelincloudcomputing
.They are Infrastructure as a Service (IaaS), Platform as a Service (PaaS)
andSoftwareasaservices(SaaS).Similarlytherearefourdeploymentmodel
thatindicatewhowillinvestincloudinfrastructureandwhowillbeallowed
toaccessthecloudservices.Theyareprivate,public,communityandhybrid
cloud.
Cloud computing has introduced some new concept on
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes
1/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
WeakIdentity,CredentialandAccessManagement
Useofweakpassword,failuretousemultifactorauthentication,alackof
ongoingautomatedrotationofcryptographickeys,passwordsandcertificates
andimproperaccessmanagementonCloudsystemcreatessecuritythreat.
AbuseandNefariousUseofCloudComputing
Cloudcomputinggivesenormouscomputingplatformfordifferent
organizationandindividual.Duetoweakregistrationprocessandlimited
frauddetectioncapabilities,malicioususergeteasilyaccesstocloudservices
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes 2/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
frauddetectioncapabilities,malicioususergeteasilyaccesstocloudservices
asaclient.Theyinfiltratethecloudcomputeranduploadmalwareandspam
tothousandofcomputer.Usethepowerofexploitedcloudinfrastructureto
attackothermachine.ForexampleattackercaneasilylaunchDDoStype
ofattack.
InsecureInterfacesandAPIs
Customerusesoftwareuserinterfaceandapplicationprogramminginterface
(API)tomanageandinteractwithcloudservices.Sometimethirdparty
makesAPItoaddtheextraserviceincloudsystemandlessconcernedabout
thesecurity.Hackermightexploitthevulnerabilityonthoseinsecure
interfaceandAPI,accesstheotheraccount.
MaliciousInsiders
Itmeansthepersonwhohasauthorizedaccesstosystemanddoestheaction
todamagessystem,leaktheconfidentialinformatione.t.c.Forexample,if
employeeisnotsatisfiedwithcompanytheycanattackthesystemeasily
thanoutsiderattackerandleaktheinformation.
SharedTechnologyVulnerabilities
OneimportantcharacteristicofcloudisMultitenancywheremultipleusers
sharethesamecloudinfrastructureresourcesatthesametime.Several
virtualmachinesarerunningatthesametimeanditdifficulttotrack,
maintainthesecuritybetweenvirtualandhostmachine.Itmayhappenthat
guestsystemtriestoinjectmaliciouscodetohypervisorandbreakthe
isolationlayerbetweenguestVMandHypervisor,gettherootprivilegeof
hypervisor.
DataLoss/Leakage/breached
Dataresideoncloudcanbelostorleakagebydifferentway.Suchas
accidentaldeletion,naturalcalamity,Lossofencodingkeyorby
unauthorizedaccess.
Account,Service&TrafficHijacking
Unauthorizedpersoncanaccesstheauthorizedaccountandservices,
capturedtrafficbetweenuserandsystembydifferentwayssuchasmanin
themiddleattacks,phishingandspamcampaigns,denialofserviceattacks
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes 3/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
themiddleattacks,phishingandspamcampaigns,denialofserviceattacks
e.t.c.
DenialofServiceAttacks
Inthistypeofattack,Serverisfloodedwithmillionsofrequestatsametime
originatedbyunauthorizeduser.Theirmainintentistooverloadtheserver.
Thiswilldefuncttheserverfunctionandauthorizedusercannotgetservice.
ThesservicesophisticatedformofDenialof
ServiceattackisDDoS.
SystemandApplicationVulnerabilities
Buginprogramandvulnerabilitieswithinoperatingsystemsuchaskernel,
systemlibrariesandapplicationtoolsposesecuritythreatincloudcomputing
.Attackerexploitsystemandprogramweaknessandcanlaunchattack.
Fig:Cloudcomputingthreat
WeakIdentity,CredentialandAccessManagement
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes 4/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
CredentialsandcryptographickeysshouldnotbeembeddedinSource
code.
Securedpublickeyinfrastructureshoulduseinkeymanagementactivities.
Federatedidentity,Multifactorauthentication,Cryptographickeys,
includingTLScertificates,policymanagementinpasswordsystemshouldbe
implemented.
ConfrontingAbuseandNefariousUseofCloudComputing
ImplementStrictinitialregistrationandvalidation
processes
Comprehensiveintrospectionofcustomertraffic
Monitorpublicblacklistsanddonecessarystepif
foundsuspicious
ConfrontingInsecureApplicationProgrammingInterfaces
Analyzeandtestthesecuritymodelofcloudprovider
API
Checkwhethercloudproviderhasimplementedstrong
authentication,encryptionandaccesscontrollist
CheckthedependencyrelationofAPI
ConfrontingMaliciousInsiders
Moretransparencyrequireinmanagementandsecurity
process
Compliancereportingandbreachnotification
ImplementingRolebasedaccesscontrol(RBAC)
ConfrontingSharedTechnologyVulnerabilities
Itcanbeminimizedbyimplementingbestpracticeduring
installationandconfiguration.Itcanbedonebymakingcloud
providermoreresponsibleforpatching,vulnerability
remediation,auditingandvendorsupportbymentioningitin
servicelevelagreement(SLA).Implementingstrong
authenticationandaccesscontrolforadministrativeaccessis
onewaytominimizethreatposedbysharedtechnology
vulnerabilities.
ConfrontingDataLoss/Leakage/breached
UseraccesscloudservicesusingweborAPI.Weshould
implementstrongAPIaccesscontrol.Wecanprotect
thedataindesign,runtimeandtransitbyimplementing
strongencryptiontechnique.Securekeygeneration,
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes
5/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
strongencryptiontechnique.Securekeygeneration,
storageandmanagement,anddestructionprocesshelp
tokeepthecriticalinformationsafesuchasencryption
key,decryptionkey,passwordandotheruser
information.Sometimenaturalcalamityandaccidental
datadeletionproblemmayhappen.Databackupand
retentionstrategies,redundanttransmissionlinkand
disastermanagementstrategieshelptorecoveroriginal
system.
Summaryofthreatandsolution(Modi,Patel,Borisaniya,Patel,&
Rajarajan,2012,p.8)
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes 6/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
Summaryofcloudattackandsolution(Modi,Patel,Borisaniya,Patel,&
Rajarajan,2012,p.8)
Suggestion
ServicelevelAgreement(SLA)isimportantlegaldocumentincloud
computing.Cloudusershouldsignitonlyafterunderstandingeachpointin
SLA.ForegMigration,Interoperabalatiy,datadeletion,Disasterrecovery
system,redundancypathe.t.c.Ifpossilbe,donotputmostcrticaldataand
informationincloudandalwaysmakebackofimportantdataand
information.
Conclusion
CloudcomputingisparadigmshiftontraditionalITinfrastructure
andcomputingwherethecomputingisshiftedtoacloudofcomputer.
AlongwithitshugeadvantageovertraditionalIT,Ithascreatednewlevel
ofsecurityandprivacyrisk.Ownerdonthavephysical,logicaland
technicalcontroloveritsowndata.Therearealotofsecuritythreatfoundin
cloudcomputingsuchasdataloss,dataleakage,DNSattack,account,
service,traffichijacking,databreached,vendorlockin,interoperability,
cloudmigration,completedeletionandmanymore.Somethreatcansolved
technicallysuchasdataloss,dataleakage,databreached,traffichijacking
e.t.cbystrongauthentication,authorizationandencryptiontechniques.Some
threatrelatedtocloudproviderareminimizedbySLA(servicelevel
agreement),thirdpartyauditing,vendorlockin,datadeletion,databackup,
disasterrecoveryandmigration.Somethreatsthatarerelatedtogovernance
canbeaddressedbyintroducinglaw,policyandprocedure.Somethreat
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes 7/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
canbeaddressedbyintroducinglaw,policyandprocedure.Somethreat
relatedtoclientcanbeaddressedbypropertrainingsuchashowtoaccess
cloudsafely,howtomanageimportantinformationlikepassword,account
informatione.t.c.
References
Erl,T.,Puttini,R.,&Mahmood,Z.(2013).Cloudcomputing:
Concepts,technology,&architecture.Prantichall.
CloudSecurityAlliance.(2016).CLOUDSECURITYALLIANCEThe
Treacherous12CloudComputingTopThreatsin2016.Retrieved
fromCLOUDSECURITYALLIANCEwebsite:
https://cloudsecurityalliance.org/download/the
treacheroustwelvecloudcomputingtopthreatsin2016/
Ashktorab,V.,&Taghizadeh,S.R.(2012).Securitythreatsand
countermeasuresincloudcomputing.InternationalJournalof
ApplicationorInnovationinEngineering&Management
(IJAIEM),1(2),234245.
Modi,C.,Patel,D.,Borisaniya,B.,Patel,A.,&Rajarajan,M.(2012).A
surveyonsecurityissuesandsolutionsatdifferentlayersofCloud
computing.JSupercomput,63(2),561592.doi:10.1007/s11227012
08315
Reply
5daysago
RejithaManoj
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
HiShankar,
Isthereisanyeffectivesolutionforclouddisaterrecovery?
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes 8/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
Hide2replies
3daysago
ShankarHariPrasai
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
Adisasterisanunexpectedeventinasystemlifetime.Itcanbemadebynature
(likethetsunamiand
earthquake),hardware/softwarefailures(e.g.,VMs'failureofHerokuhostedonAmazon
EC2on2011)oreven
human(humanerrororsabotage).Itcanleadtoseriousfinanciallossorevencanput
humanlivesatrisk
(Kashiwazaki.,2012) .
Yes
ThereareseveralDisasterrecoverysolutionincloudcomputing.Whattypeofsolution
docustomerneed,theycantakeitdependsontheirrequirements.Disastercanbe
happenedinthreelevelssuchasDatalevel,Systemlevel,andApplicationlevel.Onthe
samewaysolutioncanbeobtainedinthreelevelorcompositeasDisasterRecovery
asaService(DRaaS).
Listofsolutionandhowitcanbedoneisshowinbelowtable.
Itwouldbetterforcloudusertomentionedallthisin
SLA(servicelevelagreement).
Ifyouwanttoknowmoreaboutitthenpleasereferto
followingsite
www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
www.asd.gov.au/.../cloud_computing_security_considerations.htm
Reply Quote
Hide1reply
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes 9/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
3daysago
RejithaManoj
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
okThanks
5daysago
KaurJasbir
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
whatisperticularthreatorconditionforwhichacloudproviderisnot
responsibleatall?
Hide1reply
3daysago
ShankarHariPrasai
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
Ifsomethingsmalicioushappenedbeyondthedemarcationpoint,
Forexample,compromisingofclientdeviceduetoclientnegligence
andignorancesuchas:bysettingweakpassword,sharingpassword
withothers,notmaintainingantivirusprogramsononesterminal
,accidentaldeletionofusersdatabyhisownmistakethencloud
providerdoesntresponsibleforit.
Legallycloudprovidersarenotresponsibleforwhattheyhavent
promisedonServicelevelagreement(SLA).
AnimShakya
3daysago
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&me 10/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
Hi,Shankar,
Youhavedoneverygoodresearch.
Iamwonderingwhetherfederalidentityrequirementyouhave
mentionedasmethodofconfrontationaddsnewplatformfor
vulnerabilities?Asfederatedidentityisnotgovernedeitherbycloud
providerorclouduser.Iffederatedidentitysystemgetsdownorhas
somefault,whowouldbeaccountableforthelosses.
doesn'titaddanotherlevelofdependencyuponpartyotherthancloud
provider?Isitgoodpracticeintheaspectsofclients?Canyouplease
elaborate?
regards,
anim
Hide1reply
2daysago
ShankarHariPrasai
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
Federated identity management deals with the establishment of trust relationships between
various securities domains, to share authentication data to reduce management complexity and
security risks. It separate user authentication from application code, delegate authentication to a
trusted identity provider, as a result it minimizes the administrative overhead, helps to decouple
authentication from authorization.
The trusted identity providers may include corporate directories, onpremises federation services,
other security token services STSs provided by business partners, or social identity providers that
can authenticate users who have, for example, a Microsoft, Google, Yahoo!, or Facebook account.
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&me 11/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
The user does not have to enter credentials for every application. This increases security because it
prevents the proliferation of credentials required to access many different applications, and it also
hides the users credentials from all but the original identity provider. Applications see just the
authenticated identity information contained within the token.
https://www.researchgate.net/publication/261491220_Integral_Federated_Identity_Mana
[accessedMay22,2016].
https://msdn.microsoft.com/enus/library/dn589790.aspx
DeepPrakashKaucha
3daysago
RE:Securitythreatsincloudcomputingandpreventivemethods.
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&me 12/13
5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
Hishankar,Youhavepresentedthecloudserviceinverygoodway.As
youdescribedhackerexploittheinsecureinterfaceandAPIcanyouplz
explainsomewaytosecurethesevulnerablilitiesincloudservices
Hide2replies
2daysago
ShankarHariPrasai
RE:Securitythreatsincloudcomputingandpreventivemethods.
DRAFT
OverallRating:
2daysago
ShankarHariPrasai
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
Securitypracticesshouldbewellintegratedintotheirservice
modelsbyCloudserviceprovider.
Applicationsandinterfaces(APIs)shallbedesigned,developed
anddeployedinaccordancewithindustryacceptablestandards
(e.g.,OWASPforwebapplications)andadheretoapplicablelegal,
statutory,orregulatorycomplianceobligations.
Securitypoliciesgoverningthecreation,dissemination,storage
anddisposalofkeysshouldbeinplace,andkeysshouldbestored
securelyinahardwaresecuritymoduleorotherencryptedand
protectedfilestore.Important/credentialinformationshouldbe
embeddedintoscriptasplantext.
Performingpenetrationtestsandvulnerabilityassessmentst
ReleasingdocumentationofAPI,Applicationassessmentresult
andreport
ExpandAll CollapseAll
OK
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&me 13/13