Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Cloud computing Security

Cloud Genius
Cloud Genius

This document discusses security issues related to cloud computing. It outlines security concerns faced by both cloud providers and clients. For providers, ensuring infrastructure and client data/apps are secure is critical. For clients, making sure providers have proper security measures is important. The document then covers specific security topics like data protection, identity management, compliance with regulations, legal/contractual obligations, secure system design principles, secure coding practices, and common application threats.

1 of 15
Cloud Computing Security1
Cloud Computing Security 2
Cloud Security Issues/Concerns ¨  Faced by providers ¤  Ensure that infrastructure is secure ¤  Client data and apps are protected ¨  Faced by clients ¤  Ensure that provider has taken proper measures to protect info 3 Security and Privacy Compliance Legal/ Contractual issues
Security and Privacy ¨  Data Protection ¤  Data stored securely n  when at rest and n  while in motion ¨  Identity Management ¤  ID Federation ¤  Single Sign On ¤  Other Identity Management that Clients dictate ¨  Physical and Personnel Security ¤  Access is secured and documented ¨  Availability ¤  Regular and predictable access to data and applications ¨  Application Security ¤  Testing and acceptance procedure for 3rd party code/outsourced code ¤  App level firewalls ¨  Privacy ¤  Only authorized users access information ¤  Digital identity protection 4
Compliance Cloud providers must enable clients to comply with regulations ¨  Laws and Regulations ¤  Depends on geography and laws of the land ¤  e.g., Health Insurance Portability and Accountability Act (HIPAA), Sarbanes- Oxley Act (SarbOx) ¨  Industry Standards ¤  e.g., Payment Card Industry Data Security Standard (PCI DSS) ¨  Regular reporting requirements ¨  Audit Trails ¨  Business Continuity and Data Recovery ¤  Services continue even in case of a disaster ¤  Plan for recovery of lost data ¨  Logs and Audit Trails ¤  eDiscovery ¤  Forensic Investigation ¨  Client specific compliance requirements ¨  Data isolation requirements 5
Legal/Contractual Issues ¨  Liability Terms ¨  Intellectual Property ¨  End of service obligations ¨  Public records ¤  Record keeping ¤  Retain and make data available ¤  May be stipulated by law 6
Computer Security 7 Secure OS Secure Architecture Security by design Secure coding practise Vulnerability Eavesdropping Exploits Trojans/Virus/DOS Payloads Backdoors/Rootkits/Key loggers ComputerSecurity ComputerInsecurity
Security by Design 8 ¨  Principle of least privilege ¤  An entity has only the privileges it needs to function ¤  Hacker gaining access to one part would find it equally difficult to access other parts ¨  Breaking modules into small individual components simplifies correct design of crucial software subsystems ¨  Rigorous code review and unit testing ¨  Smart Secure Default Settings ¤  Fail to a secure state. Not fail to an insecure state ¤  A secure system should require deliberate, conscious, knowledgeable and free decision on part of legitimate authority in order to make it insecure
Security Architecture ¨  Design artifacts that describe how security controls are positioned to ensure system quality attributes 9 Confidentiality Integrity AvailabilityAccountability Assurance
Hardware Mechanisms for Security 10 ¨  Hardware based or hardware assisted compliments software based security, e.g, ¤  Trusted Platform Modules (TPM) ¤  Devices/Dongles that require physical access
Secure OS 11 ¨  Ultra-strong secure OS ¤  Based on kernel that guarantee certain security policies are absolutely enforced in an operating environment ¤  e.g., Bell-LaPadula model ¤  Such OS are not widely known ¤  Used primarily to protect n  National security/Military secrets ¤  e.g., NSA Blacker, Honeywell SCOMP ¤  Achieve the orange book standard Microprocessor Hardware Features such as memory management Correctly implemented OS kernel
Secure Coding 12 ¨  Most commercial OS fall in a “low security” category so applications must make themselves resistant to malicious subversion ¨  Common software defects include ¤  buffer overflows ¤  format string vulnerabilities ¤  integer overflow ¤  code/command injection ¤  dangling pointers
Application Threats/Attacks ¨  Input Validation ¤  Buffer overflow, cross site scripting, SQL injection ¨  Authentication ¤  Eavesdropping, brute force attack, dictionary attach, cookie replay, credential theft ¨  Authorization ¤  Elevation of privilege, disclosure of confidential info, data tampering ¨  Configuration Management ¤  Unauth access to admin interfaces, retrieval of config data in clear text, lack of individual accountability ¨  Sensitive Information ¤  Unauth access to stored data ¨  Session Management ¤  Session hijacking, session replace, man in the middle attacks ¨  Cryptography ¤  Poor key generation, weak encryption, improper key management practices ¨  Parameter Manipulation ¤  Query string manipulation, Form field manipulation, cookie manipulation, HTTP header manipulation ¨  Exception management ¤  Improper info disclosure, denial of service ¨  Auditing and logging ¤  User denies performing an operation, attacker exploits without a trace or covers the tracks 13
Questions and discussion on topic 14
15 Thank you.

More Related Content

Cloud computing Security

  • 3. Cloud Security Issues/Concerns ¨  Faced by providers ¤  Ensure that infrastructure is secure ¤  Client data and apps are protected ¨  Faced by clients ¤  Ensure that provider has taken proper measures to protect info 3 Security and Privacy Compliance Legal/ Contractual issues
  • 4. Security and Privacy ¨  Data Protection ¤  Data stored securely n  when at rest and n  while in motion ¨  Identity Management ¤  ID Federation ¤  Single Sign On ¤  Other Identity Management that Clients dictate ¨  Physical and Personnel Security ¤  Access is secured and documented ¨  Availability ¤  Regular and predictable access to data and applications ¨  Application Security ¤  Testing and acceptance procedure for 3rd party code/outsourced code ¤  App level firewalls ¨  Privacy ¤  Only authorized users access information ¤  Digital identity protection 4
  • 5. Compliance Cloud providers must enable clients to comply with regulations ¨  Laws and Regulations ¤  Depends on geography and laws of the land ¤  e.g., Health Insurance Portability and Accountability Act (HIPAA), Sarbanes- Oxley Act (SarbOx) ¨  Industry Standards ¤  e.g., Payment Card Industry Data Security Standard (PCI DSS) ¨  Regular reporting requirements ¨  Audit Trails ¨  Business Continuity and Data Recovery ¤  Services continue even in case of a disaster ¤  Plan for recovery of lost data ¨  Logs and Audit Trails ¤  eDiscovery ¤  Forensic Investigation ¨  Client specific compliance requirements ¨  Data isolation requirements 5
  • 6. Legal/Contractual Issues ¨  Liability Terms ¨  Intellectual Property ¨  End of service obligations ¨  Public records ¤  Record keeping ¤  Retain and make data available ¤  May be stipulated by law 6
  • 7. Computer Security 7 Secure OS Secure Architecture Security by design Secure coding practise Vulnerability Eavesdropping Exploits Trojans/Virus/DOS Payloads Backdoors/Rootkits/Key loggers ComputerSecurity ComputerInsecurity
  • 8. Security by Design 8 ¨  Principle of least privilege ¤  An entity has only the privileges it needs to function ¤  Hacker gaining access to one part would find it equally difficult to access other parts ¨  Breaking modules into small individual components simplifies correct design of crucial software subsystems ¨  Rigorous code review and unit testing ¨  Smart Secure Default Settings ¤  Fail to a secure state. Not fail to an insecure state ¤  A secure system should require deliberate, conscious, knowledgeable and free decision on part of legitimate authority in order to make it insecure
  • 9. Security Architecture ¨  Design artifacts that describe how security controls are positioned to ensure system quality attributes 9 Confidentiality Integrity AvailabilityAccountability Assurance
  • 10. Hardware Mechanisms for Security 10 ¨  Hardware based or hardware assisted compliments software based security, e.g, ¤  Trusted Platform Modules (TPM) ¤  Devices/Dongles that require physical access
  • 11. Secure OS 11 ¨  Ultra-strong secure OS ¤  Based on kernel that guarantee certain security policies are absolutely enforced in an operating environment ¤  e.g., Bell-LaPadula model ¤  Such OS are not widely known ¤  Used primarily to protect n  National security/Military secrets ¤  e.g., NSA Blacker, Honeywell SCOMP ¤  Achieve the orange book standard Microprocessor Hardware Features such as memory management Correctly implemented OS kernel
  • 12. Secure Coding 12 ¨  Most commercial OS fall in a “low security” category so applications must make themselves resistant to malicious subversion ¨  Common software defects include ¤  buffer overflows ¤  format string vulnerabilities ¤  integer overflow ¤  code/command injection ¤  dangling pointers
  • 13. Application Threats/Attacks ¨  Input Validation ¤  Buffer overflow, cross site scripting, SQL injection ¨  Authentication ¤  Eavesdropping, brute force attack, dictionary attach, cookie replay, credential theft ¨  Authorization ¤  Elevation of privilege, disclosure of confidential info, data tampering ¨  Configuration Management ¤  Unauth access to admin interfaces, retrieval of config data in clear text, lack of individual accountability ¨  Sensitive Information ¤  Unauth access to stored data ¨  Session Management ¤  Session hijacking, session replace, man in the middle attacks ¨  Cryptography ¤  Poor key generation, weak encryption, improper key management practices ¨  Parameter Manipulation ¤  Query string manipulation, Form field manipulation, cookie manipulation, HTTP header manipulation ¨  Exception management ¤  Improper info disclosure, denial of service ¨  Auditing and logging ¤  User denies performing an operation, attacker exploits without a trace or covers the tracks 13