A

SEMINAR ON

SECURITY THREATS AND MODEL ON

CLOUD COMPUTING

OVERVIEW Introduction Key attributes of cloud Cloud deployment model Security issue in cloud computing Case study Secure Cloud computing platform Security features in Nebula Conclusion Reference

INTRODUCTION OF CLOUD COMPUTING

Cloud

computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
3

Conventional Computing
vs.

Cloud Computing
Conventional Cloud

Dedicated Hardware Fixed Capacity Pay for Capacity Capital & Operational Expenses

Self-provisioned Shared Hardware Elastic Capacity Pay for Use Operational Expenses Managed via APIs

INTRODUCTION

Key Cloud Attributes:

1. 2. 3. 4.

Shared / pooled resources Broad network access On-demand self-service Metered by use

Shared / Pooled Resources:

Resources are drawn from a common pool Common resources build economies of scale Common infrastructure runs at high efficiency

Broad Network Access:

Open standards and APIs Almost always IP, HTTP, and REST Available from anywhere with an internet connection

On-Demand Self-Service:
Completely automated Users abstracted from the implementation Near real-time delivery (seconds or minutes) Services accessed through a self-serve web interface

Metered by Use:
Services are metered, like a utility Users pay only for services used Services can be cancelled at any time

Three Service Delivery Models

IaaS: Infrastructure as a Service
Consumer can provision computing resources within provider's infrastructure upon which they can deploy and run arbitrary software, including OS and applications

PaaS: Platform as Service

Consumer can create custom applications using programming tools supported by the provider and deploy them onto the provider's cloud infrastructure

SaaS: Software as Service

Consumer uses providers applications running on provider's cloud infrastructure
Virtual Machines Virtual Networks Auto Elastic Continuous Integration Built for Cloud Uses PaaS

IaaS

PaaS

SaaS

Service Delivery Model Examples

Amazon

Google

Microsoft

Salesforce

SaaS

PaaS

IaaS

Products and companies shown for illustrative purposes only and should not be construed as an endorsement

SECURITY ISSUE IN CLOUD COMPUTING

Need for isolation management Logging challenges Data ownership issues Quality of service guarantees Attraction to hackers Security of virtual OSs in the cloud Identity Management Data Stealing

CASE STUDY - SECURE CLOUD COMPUTING PLATFORM NEBULA

Nebula

is an open-source cloud computing model and service developed to provide an alternative to the costly construction of additional data centers in NASA. Open and Public APIs, everywhere Open-source platform, apps, and data Full transparency

Open source code and documentation releases

Security is Maintain into Nebula

User

Isolation from Nebula Infrastructure

Users

only have access to APIs and Dashboards No user direct access to Nebula infrastructure Project-based separation A project is a set of compute resources accessible by one or more users Each project has separate: VLAN for project instances VPN for project users to launch, terminate, and access instances Image library of instances

Security Groups IN NEBULA

Combination of VLANs and Subnetting Can be extended to use physical network/node separation .
Public IP Space
External Scanner I N T E R N E T B R I D G E

Project A (10.1.1/24)
DMZ Services

C L O U D A P I S

Operations Console (custom)

Security Scanners (Nessus, Hydra, etc) Log Aggregation, SOC Tap Event Correlation Engine

S M W

RFC1918

(LAN_X) Project B
(10.1.2/24)

Offer scientists services to address the gap

Desktop Server-based compute resources TARGET COMPUTE PLATFORM

High-end Compute

Vast Storage

High Speed Networking

Super Computer

SECURITY FEATURES IN NEBULA

Firewalls

Multiple levels of firewalling

Hardware firewall at site border Firewall on cluster network head-ends Host-based firewalls on key hosts Project based rule sets based on Amazon security groups

Remote User Access

Remote access is only through VPN (openVPN) Separate administrative VPN and user VPNs Each project has own VPN server

Intrusion Detection

Open source Host-based Intrusion Detection Mirror port to NASA SOC tap

Vulnerability Scanning
Nebula uses both internal and external vulnerability scanners

Correlate findings between internal and external scans

Incident Response
Procedures for isolating individual VMs, compute nodes, and clusters, including:

Taking snapshot of suspect VMs, including memory dump Quarantining a VM within a compute node Disabling VM images so new instances cant be launched Isolate a compute node within a cluster Isolate a cluster

INNOVATION - SECURITY GATES

API calls can be intercepted and security gates can be imposed on function being called
When an instance is launched, it can be scanned automatically for vulnerabilities

Long term vision is to have a pass/fail launch gate based on scan/monitoring results

SECURITY ACCHITECTURE OF NEBULA

CLOUD NODE IN MEDULA

LDAP Data Store

Redis KVS Puppet RabbitMQ PXE Ubuntu OS

Nova Cloud Node

TOOLS
PXE

Preboot Execution Environment is an environment to boot a computer using a network interface in cloud data storage. It is follow DHCP model. It is a tool for open stack cloud. Open stck is open source computing management infrastructure. Nova is a messaging-based architecture. Major components are Compute Controller, Volume Controller, Network Controller.

PUPPET

NOVA COMPUTING NODE

RabbitMQ- It is open source message broker software (messageoriented middleware) that implements the Advanced Message Queuing Protocol (AMQP) standard.

NOVA NODE

OBJECT NODE

Nginx Puppet

Nova Object Node

PXE

Ubuntu OS

Ngnix It is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage

NETWORK NODE

Project VLAN

Public Internet

Brctl Puppet 802.1(q) PXE

IP Tables

Nova Network Node

Ubuntu OS

brctl is set up, inspect the network bridge configuration in the linux kernel. A bridge is a device used to connect different networks.

CONCLUSION
Security Threats are in the cloud are hurdle of adaption of cloud computing. We can use Nebula for high security , high availability on the internet. User can store their sensitive data on cloud. Nebula is open source so it cost effective.

REFERENCE

1. Changhoon Kim, Matthew Caesar, Alex Gerber, Jennifer Rexford, Revisiting Route Caching: TheWorld Should Be Flat, Passive and Active, Measurement Conference, April 2010. 2. Changhoon Kim, Matthew Caesar, Jennifer Rexford, Floodless in SEATTLE: A Scalable Ethernet for Large Enterprises, ACM SIGCOMM, August 2008. 3. Firat Kiyak, Brent Mochizuki, Eric Keller, Matthew Caesar, Better by a HAIR -- HardwareAmenable Internet Routing, IEEE ICNP, October 2009. 4. Teemu Koponen, Mohit Chawla, Byung-Gon Chun, Andrey Ermolinskiy, Kye Hyun Kim, Scott Shenker, and Ion Stoica. A data-oriented (and beyond) network architecture, In Proc. ACM SIGCOMM, August 2007. 5. Rongxing et al, Secure Provenance: The Essential Bread and Butter of Data Forensics in Cloud Computing, ASIACCS10, Beijing, China.. 6 . R. LaQuata Sumter, Cloud Computing: Security Risk Classification, ACMSE 2010, Oxford, USA 7 . Mladen A. Vouch, Cloud Computing Issues, Research and Implementations, Journal of Computing and Information Technology - CIT 16, 2008, 4, 235246