Cloud Computing promises to provide a flexible IT architecture, accessible through internet from lightweight portable devices. In a cloud computing environment, the entire data resides over a set of networked resources, enabling the data to be accessed through virtual machines. Since these data-centres may be located in any part of the world beyond the reach and control of users, there are multifarious security and privacy challenges that need to be understood and addressed. Also, one can never deny the possibility of a server breakdown that has been witnessed, rather quite often in the recent times. Thus, despite the potential gains achieved from the cloud computing, the organizations are slow in accepting it due to security issues and challenges associated with it. Security is one of the major issues which hamper the growth of cloud. The idea of handing over important data to another company is worrisome; such that the consumers need to be vigilant in understanding the risks of data breaches in this new environment. This presentation introduces a detailed analysis of the cloud computing security issues and challenges focusing on the cloud computing types and the service delivery types.

1. Securit y I ssues and Challenges in
Cloud Comput ing
I nderj eet Singh
FI E,FI ETE,MCSI
All India Seminar on Cloud Computing
Institute of Electronic Engineers
Lucknow(U.P)
13-14 October, 2012

2. Conclusion
Challenges in I mplementation of Cloud
Security Threats in Cloud Computing
Introduction & Overall Security Concerns
Agenda

3. Myths or Realities?
• Cloud is not as secure as a traditional I T operation
• Security patching is better in a cloud
• Demonstrating compliance is harder in a cloud
• Data loss is less likely in a cloud
• More control leads to better security
• Cloud providers can handle insecure apps better
• Cloud providers have a better view of threats
• Cloud offers more availability than in- house I T
• Cloud providers are more concerned with protecting
themselves than the client

4. Security Pitfalls
• User is not aware with how cloud services are
provided
• There is no well demarcated network security border
• Cloud computing implies loss of control
5

5. What is Cloud Security?
There is nothing new under the
sun
but there are lots of old things we
don't know.
Ambrose Bierce, The Devil's
Dictionary
Software as a Service
Utility Computing
Grid Computing
Cloud Computing
Confidentiality, Integrity, Availability
of mission-critical IT assets stored or
processed on a cloud computing
platform
Confidentiality
Prevent unauthorized disclosures
Integrity
Preserve information integrity
Availability
Ensure Information is available when
needed

6. 7
Not enough major
suppliers yet
Bringing back in-house
may be difficult
Worried cloud will
cost more
Not enough ability to
customize
Hard to integrate with
in-house IT
Availability
Performance
Security
74.6%
80.3%
81.1%
83.3%
84.5%
84.8%
88.1%
88.5%
65% 70% 75% 80% 85% 90%
% responding 3, 4 or 5
Q: Rate the challenges/issues of the 'cloud'/on-demand model
(1=not significant, 5=very significant)
Source: Frank Gens & IDC Enterprise Panel

7. Specific Customer Concerns Related to Security
Protection of intellectual property and data
Ability to enforce regulatory or contractual obligations
Unauthorized use of data
Confidentiality of data
Availability of data
Integrity of data
Ability to test or audit a provider’s environment
Other
30%
21%
15%
12%
9%
8%
6%
3%
Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007

8. Security Threats in Cloud Computing

9.
•Application Services (services on demand)
– Gmail, Google Calendar
•Platform as a Services (resources on demand)
– Google App engine
•Infrastructure as a Services
(physical assets as services)
―IBM Blue house, VMWare,
Amazon EC2,
Microsoft Azure Platform,
Sun Parascale etc
Delivery Models

10. Deployment Models
• Private Cloud
- Owned or leased by a single organization
- No public access
• Public Cloud
- Owned by an organization selling cloud services
• Managed Cloud
- Owned by a single organization
- No public access
• Community Cloud
- Shared by several organizations
- Supports a specific community that has shared concerns
• Hybrid Cloud
- Composition of 2 or more clouds
- Enable data & application portability (e.g. cloud bursting)

11. Trusted
Control
Reliable
Secure
Flexible
Dynamic
On-demand
EfficientPrivate
Cloud
Cloud
Computing
Virtualized
Data Center
Security
Virtualization
Federation
Internal cloud External cloud
Security Issues in Deployment Model

12. 14
Where is the Data? – Moving from Private to Public
Leads to a Real or Perceived Loss of Control
We Have Control

It’s located at X.

We have backups.

Our admins control
access.

Our uptime is sufficient.

The auditors are happy.

Our security team is
engaged.
Who Has Control?

Where is it located?

Who backs it up?

Who has access?

How resilient is it?

How do auditors
observe?

How does our security
team engage?
Of enterprises consider security
#1 inhibitor to cloud adoptions
80%
Of enterprises are concerned
about the reliability of clouds48%
Of respondents are concerned with
cloud interfering with their ability
to comply with regulations
33%
Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)

13. SaaS (Software as a Service)
IaaS (Infrastructure as a Service)
PaaS (Platform as a Service)
Public
CLoud
Private
Cloud
Hybrid
Cloud
IS Requirements
Notebook
Polices & Guidelines
Remote
Desktop
SLA
Database
Data Protection
Governance
Remote
Server
Risk Assessment
PC
Monitor
& Control
Mobile
Mini Note
Delivery and Deployment Model

14. Security Issues in SaaS
• Key security element should be carefully considered as an
integral part of the SaaS deployment process:
 Data Security
 Network Security
 Data locality
 Data integrity
 Data access
 Data Segregation
 Authorization and
Authentication
 Data Confidentiality
 web Application security
 Data Breaches
 Virtualization vulnerability
 Availability
 Backup
 Identity Management on
sign-on process

15. Security Issues in PaaS
• In PaaS, the provider might give some control to the
people to build applications on top of the platform.
• Any security below the application level such as host
and network intrusion prevention will still be in the
scope of the provider.

16. Security Issues in PaaS
• Securit y t hreat s are relat ed wit h securit y hole in Virt ualizat ion
• manager.
• OS Securit y issues also alive in I aaS.
18

17. Security Issues in IaaS
• Hackers are likely to attack visible code, including but not limited
to code running in user context.
• They are likely to attack the infrastructure and perform
extensive black box testing.
• The vulnerabilities of cloud are not only associated with the web
applications but also vulnerabilities associated with the machine-
to- machine Service Oriented Architecture (SOA) applications.

18. Security Implications of the Delivery Models
Service Security by
Cloud
Provider
Extensibility
SaaS Greatest Least
IaaS Least Greatest
PaaS Middle Middle
The lower down the stack the cloud provider stops, the more
security you are tactically responsible for implementing and
managing yourself

19. • Privileged access:
 Who has specialized/privileged access to data?
 Who decides about the hiring and management of
such administrators?
• Regulatory compliance:
 Is the could vender willing to undergo external
audits and/or security certification?
• Data location:
 Does the cloud service provider allow for any
control over the location of data?
Overall Security Concerns

20. • Data segregation :
 Is encryption schemes designed and tested by
experienced professionals ?
• Recovery :
 What happens to data in the case of a disaster, and
does the vendor offer complete restoration, and , if
so, How long does that process take ?
• Investigative Support :
 Does the vendor have the ability to investigate any
inappropriate or illegal activity?
Overall Security Concerns

21. Continue Security Issues
• Long – term viability:
What happens to data if the cloud vendor goes out of
business, Is clients’ data returned and in what format?
• Data Availability:
Can the cloud vendor move all their clients’ data onto a
different environment should the existing environment
become compromised or unavailable ?

22. 29
Compliance
Complying with SOX, HIPPA
and other regulations may prohibit the use of
clouds for some applications. Comprehensive
auditing capabilities are essential.
High-level cloud security concerns
29
Less Control
Many companies and governments are
uncomfortable with the idea of their information
located on systems they do not control. Providers
must offer a high degree of security transparency to
help
put customers at ease.
Reliability
High availability will be a key concern. IT departments will
worry about a loss of service should outages occur.
Mission critical applications may not run in the cloud
without strong availability guarantees.
Security Management
Providers must supply easy, visual controls to
manage firewall and security settings for
applications and runtime environments in the
cloud.
Data Security
Migrating workloads to a shared network and
compute infrastructure increases the potential
for unauthorized exposure. Authentication and
access technologies become increasingly
important.

23. Security Issues

24. 32
Security Issues
1. Governance & Risk
Management
2. Compliance
3. Vulnerability & Patch
Management
4. Physical/ personal Security
5. Operational security
6. Availability
7. I ncident response
8. Privacy
9. Business Continuity
10. Legal I ssues
1. Data Security
2. I dentity Management
3. Single Sign On
4. Applications Security
5. Secure Multi- tenancy
6. Logs & Audit Trails (Forensics)
7. Cyber Security (DPI )
8. Encryption & Key Management
9. Virtualization Security
10. Storage security
11. I nformation Lifecycle
Management

25. 33
Data Security Issues
•Data Segregation
•Data Location
•DaR Protection
•DiM Protection
•Data I ntegrity
•Data Erasure at
EoS
•Data Compliance
•Data Loss
Prevention
•Contractual
Obligations/ SLAs
•Authentication
•Access Control
•Auditing Support

26. 34
Data Security in the Cloud
• Data will be
- St ored in mult i-t enant environment s
- Spanning mult iple layers in t he cloud st ack
- Accessed by various part ies of dif f erent t rust levels
- users, t enant s, privileged cloud admins
- Locat ed in various geographies
- Enf orced by various cont ract ual obligat ions/ SLAs
- Governed by various regulat ions and indust ry best pract ices
- Secured by mult iple t echnologies and services
A Shared, multi-tenant infrastructure increases potential for unauthorized exposure

27. • Authentication attacks: Authentication is a weak point in
hosted and virtual services and is frequently targeted. There
are many different ways to authenticate users; for example,
based on what a person knows, has, or is. The mechanisms
used to secure the authentication process and the methods
used are a frequent target of attackers.
• Man-in-the-middle cryptographic attacks: This attack is
carried out when an attacker places himself between two
users. Anytime attackers can place themselves in the
communication’s path, there is the possibility that they can
intercept and modify communications.
Security Attacks in Cloud

28. Security Attacks in Cloud
• Denial of Service (DoS) attacks: Some security
professionals have argued that the cloud is more vulnerable to
DoS attacks, because it is shared by many users, which makes
DoS attacks much more damaging. Twitter suffered a
devastating DoS attack during 2009.
• Side Channel attacks: An attacker could attempt to
compromise the cloud by placing a malicious virtual machine
in close proximity to a target cloud server and then launching
a side channel attack.

29. Security Attacks in Cloud
Network Security:
•Network penetration and packet analysis
•Session management weaknesses
•Insecure SSL trust configuration.

30. Security Attacks in Cloud
Web Application Security:
•Injection flaws like SQL, OS and LDAP injection
•Cross-site scripting
•Broken authentication and session management
•Insecure direct object references
•Cross-site request forgery
•Insecure cryptographic storage
•Failure to restrict URL access
•Insufficient transport layer protection
•Un-validated redirects and forwards.

31. 39
Questions?
Page 39
I nderjeet Singh
I nderjit. barara@gmail. com