Cloud Computing Interms of Security Challenge and Countermeasure

5/23/2016
Thread:Securitythreatsincloudcomputingandpreventive...
F Search r
Thread:Securitythreatsincloudcomputingand
preventivemethods.
Refresh
Select: All None

MessageActions
ExpandAll CollapseAll
11PostsinthisThread 0Unread
7daysago
ShankarHariPrasai
Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
Background
CloudcomputingisInnovativemodel,conceptandtechnology
incomputingfieldthatenableubiquitous,convenient,ondemandnetwork
accesstousesharedpoolofcomputingresourcessuchasnetwork,
storage,application,serverandservices,canbedeployed,extendand
releasedeasilywith/withoutthesupportofserviceprovider,chargeasper
useofit
Fig:Cloudcomputing(source:www.pcmag.com)
Therearethreeservicemodelincloudcomputing
.They are Infrastructure as a Service (IaaS), Platform as a Service (PaaS)
andSoftwareasaservices(SaaS).Similarlytherearefourdeploymentmodel
thatindicatewhowillinvestincloudinfrastructureandwhowillbeallowed
toaccessthecloudservices.Theyareprivate,public,communityandhybrid
cloud.
Cloud computing has introduced some new concept on
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes
1/13
5/23/2016
Cloud computing has introduced some new concept on

conventional IT system such as multi tenancy, elasticity, measured service,
on demand service and broadband access. So cloud computing inherited
security threats from conventional IT as well as from its own technology
featuresuchasvirtualizationandmultitenancye.t.c.
Severalusersusesamephysicalresourcesatthesametimebyusing
virtualization technology. Resources are accessed through different
networks and use web and API interface to connect with system .It has
createdmanysecuritythreatsonuserdataandinformation.
Whatissecurityforcloudcomputing?
Securitycontroloncloudcomputingare,forthemostpart,
similartothesecuritycontrolinanyITenvironment.However,duetosome
differentapproachusedinitsuchasservicedeploymentmodel,operational
modelandtechnologiesusedtoenablecloudservicessuchasvirtualization
and automation e.t.c it may pose different threat on organization than
traditionalITsolution.
Sotherearedifferentlayersofsecuritythreatincloudcomputing
such as physical, network infrastructure, Virtualization, IT system security,
allthewaytodata,informationandapplicationsecurity
Securitythreatincloudcomputing
Therearemanysecuritychallengeincloudcomputingasit
encompassesmanytechnologyincludingnetworks,databases,operating
systems,virtualization,resourcescheduling,transactionmanagement,load
balancing,concurrencycontrolandmemorymanagement.
Followingarethemainsecuritythreatmostcommonincloudcomputing
WeakIdentity,CredentialandAccessManagement
Useofweakpassword,failuretousemultifactorauthentication,alackof
ongoingautomatedrotationofcryptographickeys,passwordsandcertificates
andimproperaccessmanagementonCloudsystemcreatessecuritythreat.
AbuseandNefariousUseofCloudComputing
Cloudcomputinggivesenormouscomputingplatformfordifferent
organizationandindividual.Duetoweakregistrationprocessandlimited
frauddetectioncapabilities,malicioususergeteasilyaccesstocloudservices
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes 2/13
5/23/2016
frauddetectioncapabilities,malicioususergeteasilyaccesstocloudservices
asaclient.Theyinfiltratethecloudcomputeranduploadmalwareandspam
tothousandofcomputer.Usethepowerofexploitedcloudinfrastructureto
attackothermachine.ForexampleattackercaneasilylaunchDDoStype
ofattack.
InsecureInterfacesandAPIs
Customerusesoftwareuserinterfaceandapplicationprogramminginterface
(API)tomanageandinteractwithcloudservices.Sometimethirdparty
makesAPItoaddtheextraserviceincloudsystemandlessconcernedabout
thesecurity.Hackermightexploitthevulnerabilityonthoseinsecure
interfaceandAPI,accesstheotheraccount.
MaliciousInsiders
Itmeansthepersonwhohasauthorizedaccesstosystemanddoestheaction
todamagessystem,leaktheconfidentialinformatione.t.c.Forexample,if
employeeisnotsatisfiedwithcompanytheycanattackthesystemeasily
thanoutsiderattackerandleaktheinformation.
SharedTechnologyVulnerabilities
OneimportantcharacteristicofcloudisMultitenancywheremultipleusers
sharethesamecloudinfrastructureresourcesatthesametime.Several
virtualmachinesarerunningatthesametimeanditdifficulttotrack,
maintainthesecuritybetweenvirtualandhostmachine.Itmayhappenthat
guestsystemtriestoinjectmaliciouscodetohypervisorandbreakthe
isolationlayerbetweenguestVMandHypervisor,gettherootprivilegeof
hypervisor.
DataLoss/Leakage/breached
Dataresideoncloudcanbelostorleakagebydifferentway.Suchas
accidentaldeletion,naturalcalamity,Lossofencodingkeyorby
unauthorizedaccess.
Account,Service&TrafficHijacking
Unauthorizedpersoncanaccesstheauthorizedaccountandservices,
capturedtrafficbetweenuserandsystembydifferentwayssuchasmanin
themiddleattacks,phishingandspamcampaigns,denialofserviceattacks
5/23/2016
themiddleattacks,phishingandspamcampaigns,denialofserviceattacks
e.t.c.
DenialofServiceAttacks
Inthistypeofattack,Serverisfloodedwithmillionsofrequestatsametime
originatedbyunauthorizeduser.Theirmainintentistooverloadtheserver.
Thiswilldefuncttheserverfunctionandauthorizedusercannotgetservice.
ThesservicesophisticatedformofDenialof
ServiceattackisDDoS.
SystemandApplicationVulnerabilities
Buginprogramandvulnerabilitieswithinoperatingsystemsuchaskernel,
systemlibrariesandapplicationtoolsposesecuritythreatincloudcomputing
.Attackerexploitsystemandprogramweaknessandcanlaunchattack.
Fig:Cloudcomputingthreat
WeakIdentity,CredentialandAccessManagement
5/23/2016
CredentialsandcryptographickeysshouldnotbeembeddedinSource
code.
Securedpublickeyinfrastructureshoulduseinkeymanagementactivities.
Federatedidentity,Multifactorauthentication,Cryptographickeys,
includingTLScertificates,policymanagementinpasswordsystemshouldbe
implemented.
ConfrontingAbuseandNefariousUseofCloudComputing
ImplementStrictinitialregistrationandvalidation
processes
Comprehensiveintrospectionofcustomertraffic
Monitorpublicblacklistsanddonecessarystepif
foundsuspicious
ConfrontingInsecureApplicationProgrammingInterfaces
Analyzeandtestthesecuritymodelofcloudprovider
API
Checkwhethercloudproviderhasimplementedstrong
authentication,encryptionandaccesscontrollist
CheckthedependencyrelationofAPI
ConfrontingMaliciousInsiders
Moretransparencyrequireinmanagementandsecurity
process
Compliancereportingandbreachnotification
ImplementingRolebasedaccesscontrol(RBAC)
ConfrontingSharedTechnologyVulnerabilities
Itcanbeminimizedbyimplementingbestpracticeduring
installationandconfiguration.Itcanbedonebymakingcloud
providermoreresponsibleforpatching,vulnerability
remediation,auditingandvendorsupportbymentioningitin
servicelevelagreement(SLA).Implementingstrong
authenticationandaccesscontrolforadministrativeaccessis
onewaytominimizethreatposedbysharedtechnology
vulnerabilities.
ConfrontingDataLoss/Leakage/breached
UseraccesscloudservicesusingweborAPI.Weshould
implementstrongAPIaccesscontrol.Wecanprotect
thedataindesign,runtimeandtransitbyimplementing
strongencryptiontechnique.Securekeygeneration,
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&mes
5/13
5/23/2016
strongencryptiontechnique.Securekeygeneration,
storageandmanagement,anddestructionprocesshelp
tokeepthecriticalinformationsafesuchasencryption
key,decryptionkey,passwordandotheruser
information.Sometimenaturalcalamityandaccidental
datadeletionproblemmayhappen.Databackupand
retentionstrategies,redundanttransmissionlinkand
disastermanagementstrategieshelptorecoveroriginal
system.
Summaryofthreatandsolution(Modi,Patel,Borisaniya,Patel,&
Rajarajan,2012,p.8)
5/23/2016
Summaryofcloudattackandsolution(Modi,Patel,Borisaniya,Patel,&
Rajarajan,2012,p.8)
Suggestion
ServicelevelAgreement(SLA)isimportantlegaldocumentincloud
computing.Cloudusershouldsignitonlyafterunderstandingeachpointin
SLA.ForegMigration,Interoperabalatiy,datadeletion,Disasterrecovery
system,redundancypathe.t.c.Ifpossilbe,donotputmostcrticaldataand
informationincloudandalwaysmakebackofimportantdataand
information.
Conclusion
CloudcomputingisparadigmshiftontraditionalITinfrastructure
andcomputingwherethecomputingisshiftedtoacloudofcomputer.
AlongwithitshugeadvantageovertraditionalIT,Ithascreatednewlevel
ofsecurityandprivacyrisk.Ownerdonthavephysical,logicaland
technicalcontroloveritsowndata.Therearealotofsecuritythreatfoundin
cloudcomputingsuchasdataloss,dataleakage,DNSattack,account,
service,traffichijacking,databreached,vendorlockin,interoperability,
cloudmigration,completedeletionandmanymore.Somethreatcansolved
technicallysuchasdataloss,dataleakage,databreached,traffichijacking
e.t.cbystrongauthentication,authorizationandencryptiontechniques.Some
threatrelatedtocloudproviderareminimizedbySLA(servicelevel
agreement),thirdpartyauditing,vendorlockin,datadeletion,databackup,
disasterrecoveryandmigration.Somethreatsthatarerelatedtogovernance
canbeaddressedbyintroducinglaw,policyandprocedure.Somethreat
5/23/2016
canbeaddressedbyintroducinglaw,policyandprocedure.Somethreat
relatedtoclientcanbeaddressedbypropertrainingsuchashowtoaccess
cloudsafely,howtomanageimportantinformationlikepassword,account
informatione.t.c.
References
Erl,T.,Puttini,R.,&Mahmood,Z.(2013).Cloudcomputing:
Concepts,technology,&architecture.Prantichall.
CloudSecurityAlliance.(2016).CLOUDSECURITYALLIANCEThe
Treacherous12CloudComputingTopThreatsin2016.Retrieved
fromCLOUDSECURITYALLIANCEwebsite:
https://cloudsecurityalliance.org/download/the
treacheroustwelvecloudcomputingtopthreatsin2016/
Ashktorab,V.,&Taghizadeh,S.R.(2012).Securitythreatsand
countermeasuresincloudcomputing.InternationalJournalof
ApplicationorInnovationinEngineering&Management
(IJAIEM),1(2),234245.
Modi,C.,Patel,D.,Borisaniya,B.,Patel,A.,&Rajarajan,M.(2012).A
surveyonsecurityissuesandsolutionsatdifferentlayersofCloud
computing.JSupercomput,63(2),561592.doi:10.1007/s11227012
08315
Reply
5daysago
RejithaManoj
RE:Securitythreatsincloudcomputingandpreventivemethods.
OverallRating:
HiShankar,
Isthereisanyeffectivesolutionforclouddisaterrecovery?
5/23/2016
Hide2replies
3daysago
ShankarHariPrasai
OverallRating:
Adisasterisanunexpectedeventinasystemlifetime.Itcanbemadebynature
(likethetsunamiand
earthquake),hardware/softwarefailures(e.g.,VMs'failureofHerokuhostedonAmazon
EC2on2011)oreven
human(humanerrororsabotage).Itcanleadtoseriousfinanciallossorevencanput
humanlivesatrisk
(Kashiwazaki.,2012) .
Yes
ThereareseveralDisasterrecoverysolutionincloudcomputing.Whattypeofsolution
docustomerneed,theycantakeitdependsontheirrequirements.Disastercanbe
happenedinthreelevelssuchasDatalevel,Systemlevel,andApplicationlevel.Onthe
samewaysolutioncanbeobtainedinthreelevelorcompositeasDisasterRecovery
asaService(DRaaS).
Listofsolutionandhowitcanbedoneisshowinbelowtable.
Itwouldbetterforcloudusertomentionedallthisin
SLA(servicelevelagreement).
Ifyouwanttoknowmoreaboutitthenpleasereferto
followingsite
www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
www.asd.gov.au/.../cloud_computing_security_considerations.htm
Reply Quote
Hide1reply
5/23/2016
3daysago
RejithaManoj
OverallRating:
okThanks
5daysago
KaurJasbir
OverallRating:
whatisperticularthreatorconditionforwhichacloudproviderisnot
responsibleatall?
Hide1reply
3daysago
ShankarHariPrasai
OverallRating:
Ifsomethingsmalicioushappenedbeyondthedemarcationpoint,
Forexample,compromisingofclientdeviceduetoclientnegligence
andignorancesuchas:bysettingweakpassword,sharingpassword
withothers,notmaintainingantivirusprogramsononesterminal
,accidentaldeletionofusersdatabyhisownmistakethencloud
providerdoesntresponsibleforit.
Legallycloudprovidersarenotresponsibleforwhattheyhavent
promisedonServicelevelagreement(SLA).
AnimShakya
3daysago
https://interact2.csu.edu.au/webapps/discussionboard/do/message?action=list_messages&course_id=_12288_1&conf_id=_18598_1&forum_id=_47136_1&me 10/13
5/23/2016
OverallRating:
Hi,Shankar,
Youhavedoneverygoodresearch.
Iamwonderingwhetherfederalidentityrequirementyouhave
mentionedasmethodofconfrontationaddsnewplatformfor
vulnerabilities?Asfederatedidentityisnotgovernedeitherbycloud
providerorclouduser.Iffederatedidentitysystemgetsdownorhas
somefault,whowouldbeaccountableforthelosses.
doesn'titaddanotherlevelofdependencyuponpartyotherthancloud
provider?Isitgoodpracticeintheaspectsofclients?Canyouplease
elaborate?
regards,
anim
Hide1reply
2daysago
ShankarHariPrasai
OverallRating:
Federated identity management deals with the establishment of trust relationships between
various securities domains, to share authentication data to reduce management complexity and
security risks. It separate user authentication from application code, delegate authentication to a
trusted identity provider, as a result it minimizes the administrative overhead, helps to decouple
authentication from authorization.
The trusted identity providers may include corporate directories, onpremises federation services,
other security token services STSs provided by business partners, or social identity providers that
can authenticate users who have, for example, a Microsoft, Google, Yahoo!, or Facebook account.
5/23/2016
How communication happens
The user does not have to enter credentials for every application. This increases security because it
prevents the proliferation of credentials required to access many different applications, and it also
hides the users credentials from all but the original identity provider. Applications see just the
authenticated identity information contained within the token.
Technologies used for federated identity includeSAMLSecurity Assertion Markup

Language,OAuth,OpenID, Security Tokens Simple Web Tokens, JSON Web Tokens, and SAML
assertions, Web Service Specifications, Microsoft Azure Cloud Services, andWindows Identity
Foundation.
Your query answer
Yo Obviously cloud provider is responsible for losses because user only concern about result
.Agreement has been signed between third party provider and cloud providers ur question
was about vulnerabilities. It doesnt add vulnerability as you projected above because it is
technical enhancement on cloud servic provider . It may be offered by cloud providers itself
or by trusted party.
It seems yes. However cloud provider itself can implement those service if it has
enough resources.
It is solely done for benefit of client because it secure client information and
single identity can be used for multiple services.
https://www.researchgate.net/publication/261491220_Integral_Federated_Identity_Mana
[accessedMay22,2016].
https://msdn.microsoft.com/enus/library/dn589790.aspx
DeepPrakashKaucha
3daysago
5/23/2016
OverallRating:
Hishankar,Youhavepresentedthecloudserviceinverygoodway.As
youdescribedhackerexploittheinsecureinterfaceandAPIcanyouplz
explainsomewaytosecurethesevulnerablilitiesincloudservices
Hide2replies
2daysago
ShankarHariPrasai
DRAFT
OverallRating:
2daysago
ShankarHariPrasai
OverallRating:
Securitypracticesshouldbewellintegratedintotheirservice
modelsbyCloudserviceprovider.
Applicationsandinterfaces(APIs)shallbedesigned,developed
anddeployedinaccordancewithindustryacceptablestandards
(e.g.,OWASPforwebapplications)andadheretoapplicablelegal,
statutory,orregulatorycomplianceobligations.
Securitypoliciesgoverningthecreation,dissemination,storage
anddisposalofkeysshouldbeinplace,andkeysshouldbestored
securelyinahardwaresecuritymoduleorotherencryptedand
protectedfilestore.Important/credentialinformationshouldbe
embeddedintoscriptasplantext.
Performingpenetrationtestsandvulnerabilityassessmentst
ReleasingdocumentationofAPI,Applicationassessmentresult
andreport
Select: All None

MessageActions
ExpandAll CollapseAll
OK

Cloud Computing Interms of Security Challenge and Countermeasure

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cloud Computing Interms of Security Challenge and Countermeasure

Transféré par

Droits d'auteur :

Formats disponibles

5/23/2016

Select: All None

Cloud computing has introduced some new concept on

How communication happens

Technologies used for federated identity includeSAMLSecurity Assertion Markup

Select: All None

Vous aimerez peut-être aussi