This presentation will provide you with all the information, you need to know about cloud computing. It will give a description of cloud computing and related issues from top to bottom with lots of survey results, definitions from different white papers and security concerns from worth mentioning research papers.

2. Cloud Computing:
Security and Privacy
Prepared by
Istiyak Hossain Siddiquee
2009331009
Supervised by
Dr. Mohammed Jahirul Islam
Associate Professor
Dept. of Computer Science & Engineering
Shahjalal University of Science & Technology
Sylhet, Bangladesh.

3. “Cloud Computing is an important transition, a paradigm shift in IT services delivery - one that
has broad impact and can present significant challenges. “
---"Cloud Computing: Considerations and Next Steps", published by Intel
“It's stupidity. It's worse than stupidity. It's a marketing hype campaign.”
---Richard Stallman, President, Free Software Foundation

5. An
IT
model
or
computing
environment
composed
of
IT
components
(hardware, software, networking, and services) as well as the processes around the deployment of these
elements that together enable us to develop and deliver cloud services via the Internet or a private
network.
--- Securing the Cloud, Winkler
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks, servers, storage, applications, and services).
--- Security Guidance for Critical Areas of Focus in Cloud Computing v3.0
By Cloud Security Alliance, CSA
Cloud computing is an evolution in which IT consumption and delivery are made available in a self–
service fashion via the Internet or internal network, with a flexible pay-as-you-go business model and
requires a highly efficient and scalable architecture.
--- Cloud Computing: Considerations and Next Steps, Intel

6. “Cloud Computing refers to both the applications delivered as services over
Internet and the hardware and systems software in the datacenters that
provide those services.”
Above the Clouds A Berkeley View on Cloud Computing,
University of California Berkeley
“A model for enabling ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing resources (e.g.
networks, servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service
provider interaction.”
National Institute of Standard and Technology (NIST)

7. Why Cloud

8. Source: IT PRO Cloud Survey By Microsoft TechNet Cloud Power

9. Source: The Future of Cloud Computing rd Annual Survey
by NorthBridge and Gigaom

10. Source:
Outlook on Technology, a survey conducted by PCConnection

11. Source: Leveraging the cloud for law enforcement Survey Result
IACP, SafeGov, January 31, 2013

12. Essential Characteristics of Cloud Computing According to NIST





On-demand Self Service
Broad network access
Resource pooling
Rapid elasticity
Measured service
• Cost containment
• Innovation speed
• Availability
• Scalability
• Efficiency
• Elasticity
Schweizerische Akademie der Technischen Wissenschaften (SATW)

13. So, the attractive points of cloud computing are









Efficiency
Scalability
Elasticity
Availability
Agility
Recovery
No upfront cost
Pay as you go
Innovation speed

14. Cloud Service Delivery Model

15. defined by NIST

16. Source: 2013 Outlook on Technology, PC Connection Survey

17. Source: IT PRO Cloud Survey By Microsoft TechNet Cloud Power

19. IaaS
The
capability
provided
to
the
consumer
is
to
provision
processing, storage, networks, and other fundamental computing resources where
the consumer is able to deploy and run arbitrary software, which can include
operating systems and applications. The consumer does not manage or control the
underlying cloud infrastructure but has control over operating systems, storage, and
deployed applications; and possibly limited control of select networking components
(e.g., host firewalls).
----According to NIST
provides virtual machines and other abstracted hardware and operating systems
which may be controlled through a service API.
----According to ENISA
delivers computer infrastructure (typically a platform virtualization environment) as
a service, along with raw storage and networking. Rather than purchasing
servers, software, data-center space, or network equipment, clients instead buy
those resources as a fully outsourced service
----According to CSA

20. Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)

21. Examples of IaaS










Amazon EC2
Eucalyptus
CSC
GoGrid
IBM
OpenStack
Rackspace
Savvis
Terremark
VMWare

22. PaaS
The capability provided to the consumer is to deploy onto the cloud infrastructure
consumer-created or acquired applications
created
using programming
languages, libraries, services, and tools supported by the provider. The consumer does not
manage
or
control
the
underlying
cloud
infrastructure
including
network, servers, operating systems, or storage, but has control over the deployed
applications and possibly configuration settings for the application-hosting environment.
----According to NIST
allows customers to develop new applications using APIs deployed and configurable
remotely. The platforms offered include development tools, configuration
management, and deployment platforms.
----According to ENISA
the delivery of a computing platform and solution stack as a service. PaaS offerings
facilitate deployment of applications without the cost and complexity of buying and
managing the underlying hardware and software and provisioning hosting capabilities.
This provides all of the facilities required to support the complete life cycle of building and
delivering web applications and services entirely available from the Internet.
----According to CSA

23. Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)

24. Examples of PaaS












Google App Engine
Windows Azure
Force.com
Engine Yard
AT&T Synaptic
Boomi
Citrix
Red Hat OpenShift
Heroku
AppFog
Amazon AWS
Caspio

25. SaaS
The capability provided to the consumer is to use the provider’s applications running
on a cloud infrastructure. The applications are accessible from various client devices
through either a thin client interface, such as a web browser (e.g., web-based
email), or a program interface. The consumer does not manage or control the
underlying cloud infrastructure including network, servers, operating
systems, storage, or even individual application capabilities, with the possible
exception of limited user specific application configuration settings.
----According to NIST
is software offered by a third party provider, available on demand, usually via the
Internet configurable remotely.
----According to ENISA
a software delivery model in which software and its associated data are hosted
centrally (typically in the (Internet) cloud) and are typically accessed by users using a
thin client, normally using a web browser over the Internet.
----According to CSA

26. Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)

27. Examples of SaaS











Web Mail
Google Docs
Facebook
Salesforce
LinkedIn
Workday
Netsuite
ServiceNow
Athenahealth
Medidata
Cornerstone OnDemand

28. Cloud Deployment Models

30. Among these models, which one is more popular ??

31. Source The Future of Cloud Computing
rd Annual Survey
by NorthBridge and Gigaom

32. PC Connection CC Survey
Results

33. Public Cloud
The cloud infrastructure is provisioned for open use by the general public. It may be
owned, managed, and operated by a business, academic, or government
organization, or some combination of them.
---- According to NIST
The cloud infrastructure is made available to the general public or a large industry
group and is owned by an organization selling cloud services.
----According to ENISA
public cloud refers to solutions where resources are dynamically provisioned over the
Internet from an offsite third-party provider who shares resources and bills on a finegrained utility computing basis.
----According to Ajilitee

34. Examples of Public Cloud





Amazon Elastic Compute Cloud (EC2)
IBM’s Blue Cloud
SunCloud
Google AppEngine
Windows Azure Services Platform

35. Private Cloud
The cloud infrastructure is provisioned for exclusive use by a single
organization comprising multiple consumers (e.g. business units). It may
be owned, managed, and operated by the organization, a third party, or
some combination of them, and it may exist on or off premises.
--- According to NIST
The cloud infrastructure is operated solely for a single organization. It
may be managed by the organization or by a third party and may be
located on-premise or off-premise.
--- According to CSA

36. Examples of Private Cloud








Amazon Virtual Private Cloud
IBM SmartCloud Foundation
Microsoft Private Cloud
Cisco Private Cloud solutions
VMware Private Cloud Computing
Dell Cloud Solutions
Rackspace Private Cloud
Citrix CloudPlatform

37. Hybrid Cloud
The cloud infrastructure is a composition of two or more
distinct cloud infrastructures (private, community, or
public) that remain unique entities, but are bound together
by standardized or proprietary technology that enables
data and application portability (e.g. cloud bursting for
load balancing between clouds)

38. Community Cloud
The cloud infrastructure is shared by several organizations
and supports a specific community that has shared
concerns (e.g mission, security requirements, policy, or
compliance considerations). It may be managed by the
organizations or by a third party and may be located on
premise or off-premise.
--- According to CSA
This cloud overlaps to grid to some extent.
Several organizations with similar concerns
about mission, security requirements, policy,
and compliance considerations in a private
community share cloud infrastructure

40. Source: Luth research and Vanson Bourne, 2013

41. 2013 Outlook on Technology Cloud Computing Survey Results by PC Connection

42. Are these survey
results exaggerated ?

43. Let’s review this survey result...
Cloud Computing Vulnerability Incidents A Statistical Overview, by CSA

44. American information
technology research and
advisory firm Gartner
have identified seven
cloud computing risks.
These are







Privileged user access
Regulatory compliance
Data location
Data segregation
Recovery
Investigative support
Long term viability
In
CSA released a
worth
mentioning
document with a title The
Notorious Nine: Cloud
Computing Top Threats in
Here they idenfied
nine security problem as
top threat for the year









Data Breaches
Data Loss
Account Hijacking
Insecure APIs
Denial of Service
Malicious Insiders
Abuse of Cloud Services
Insufficient Due Diligence
Shared Technology Issues

45. So we can classify these threats into these categories





Confidentiality and Privacy
Availability
Integrity
Auditability and Forensics
Other Issues
Let us get through these point...

46. Confidentiality and Privacy

47. While considering cloud computing security, one word that comes most often is confidentiality of data.
Privacy is also related to confidentiality as because revealation of a confidential data means the violation
of privacy Confidentiality and privacy leakages can occur in two wasys
Loosing control over data Customers often become anxious about their data
confidentiality, this is because of losing control over data. when they host their classified
information to cloud they usually lose the control over their data, though they have the
authorization to access data
Privacy and Confidentiality Compromised One of the most common threat to computing
technology as well as cloud computing technology is “compromise”. To describe this in
detail we will sub-divide this point

48. Threats from Insider There are two types of threat here.
Firstly from a current or former employee, contractor, or other
business partner
who has or had authorized access to an organization's network, system, or data and
intentionally exceeded or misused that access in a manner that negatively affected the
confidentiality, integrity, or availability of the organization's information or information
systems.
Secondly, from the company itself. What if the company is running a Cheap Data
Mining process on your confidential data ? Or even they can espoinage on your data.

49. Threats from Outsider There are the
threats that make companies
worried. There can be many types of
threat from outsider. These are








Cloud malware injection attack
Account or service hijacking
VMWare Secuirty Problem
Flooding Attacks
Data Security
Hypervisor Vulnerability
Shared Resources Issue
Compliance

50. Cloud malware injection attack A research paper
described this type of attack. They said, an attacker first
attempts to inject malware service implementation of
virtual machine into the cloud system. This instance then
serves several purposes ranging from eavesdropping via
subtle data modification to full functonality changes or
blockings. Attacker may also apply sql injection cross site
scripting attacks to acquire sensitive data

51. Account or service hijacking Account or service hijacking
is not new Attack methods such as phishing, fraud, and
exploitation of software vulnerabilities still achieve results.
Cloud solutions add a new threat to the landscape. If an
attacker gains access to your credentials, they can
eavesdrop on your activities and transactions, manipulate
data, return falsified information, and redirect your clients
to illegitimate sites. Your account or service instances may
become a new base for the attacker.

52. VMWare Secuirty Problem Recent researches show that it is
possible to locate a clients’ physical address on cloud precisely
So an attacker can use those algothims to locate a consumer
and gather intelligence about his classified data in cloud.
Again, another research showed that it is possible to place
attacker’s virtual machine beside the victim’s virtual
machine, physically and then create a side channel between
both the machines which can enable the attacker to steal
password information by initiating SSH keystroke timing attack

53. Flooding Attacks It consists of DoS (Denial of Service), DDoS, and EDoS It is
a very old problem in computer technology and hence for cloud computing
also, which basically consists in an attacker sending a huge amount of
nonsense requests. As each of these requests need to be identified as
nonsese some computation power is required to face such attacks. Thus
sometimes the server doesn’t response in time that is it Denies of Service.
Sometimes attacker attacks the cloud using botnets which we call
Distributed Denial of service. It is much harder to tackle as there are huge
amount of nonsense request at a time There is another sort of DoS, this is
called EDoS. In this, attacker attacks the billing system of a cloud service
provide with an attemp to make the CSP a bankrupt

54. Data Security Data can be hijacked while it is in transit.
This problem is trivial actually. We may encrypt the data or
secure the connection between browser and server

55. Hypervisor Vulnerability Hypervisor is a critical piece of virtualized
cloud infrastructure that provide the software layer that sits between
the hardware and VMs and allows multiple VMs to share a single
hardware platform. Not surprisingly, hypervisor vulnerabilities are a
major source of concern for IT professionals. If a hypervisor is
vulnerable to security attacks, then the integrity of the entire public or
private cloud implementation is at serious risk.

56. Shared Resources Issues Sharing of resources arise
some critical problems of unwanted data privacy
leakages. This is because data remanence in an multitenant hardware implementation
Another example of shared resources vulnerability is
Reputaion Fate Sharing

57. Compliance From the former NSA Agent Edward Snowden we
came to know that under long disputed PRISM Act, USA’s
organization, National Security Agency (NSA) had been able to
access the emails, Facebook accounts and videos of citizens across
the world. Even, it had secretly acquired the phone records of
millions of Americans and other important persons of the world like
Angela Merkel etc. Through a secret court, it has been able to bend
nine US internet companies to its demands for access to their users'
data.

58. Availability

60. Integrity

61. Auditability & Forensics

62. Other Issues
 Accidental Data Loss
 Insecure API
 Abuse of Cloud (DoS Attack Using Cloud)

63. Future.....