Cloud Computing promises to provide a flexible IT architecture, accessible through internet from lightweight portable devices. In a cloud computing environment, the entire data resides over a set of networked resources, enabling the data to be accessed through virtual machines. Since these data-centres may be located in any part of the world beyond the reach and control of users, there are multifarious security and privacy challenges that need to be understood and addressed. Also, one can never deny the possibility of a server breakdown that has been witnessed, rather quite often in the recent times. Thus, despite the potential gains achieved from the cloud computing, the organizations are slow in accepting it due to security issues and challenges associated with it. Security is one of the major issues which hamper the growth of cloud. The idea of handing over important data to another company is worrisome; such that the consumers need to be vigilant in understanding the risks of data breaches in this new environment.
This presentation introduces a detailed analysis of the cloud computing security issues and challenges focusing on the cloud computing types and the service delivery types.
Powerpoint exploring the locations used in television show Time Clash
Security Issues and Challenges in Cloud Computing
1. Securit y I ssues and Challenges in
Cloud Comput ing
I nderj eet Singh
FI E,FI ETE,MCSI
All India Seminar on Cloud Computing
Institute of Electronic Engineers
Lucknow(U.P)
13-14 October, 2012
2. Conclusion
Challenges in I mplementation of Cloud
Security Threats in Cloud Computing
Introduction & Overall Security Concerns
Agenda
3. Myths or Realities?
• Cloud is not as secure as a traditional I T operation
• Security patching is better in a cloud
• Demonstrating compliance is harder in a cloud
• Data loss is less likely in a cloud
• More control leads to better security
• Cloud providers can handle insecure apps better
• Cloud providers have a better view of threats
• Cloud offers more availability than in- house I T
• Cloud providers are more concerned with protecting
themselves than the client
4. Security Pitfalls
• User is not aware with how cloud services are
provided
• There is no well demarcated network security border
• Cloud computing implies loss of control
5
5. What is Cloud Security?
There is nothing new under the
sun
but there are lots of old things we
don't know.
Ambrose Bierce, The Devil's
Dictionary
Software as a Service
Utility Computing
Grid Computing
Cloud Computing
Confidentiality, Integrity, Availability
of mission-critical IT assets stored or
processed on a cloud computing
platform
Confidentiality
Prevent unauthorized disclosures
Integrity
Preserve information integrity
Availability
Ensure Information is available when
needed
6. 7
Not enough major
suppliers yet
Bringing back in-house
may be difficult
Worried cloud will
cost more
Not enough ability to
customize
Hard to integrate with
in-house IT
Availability
Performance
Security
74.6%
80.3%
81.1%
83.3%
84.5%
84.8%
88.1%
88.5%
65% 70% 75% 80% 85% 90%
% responding 3, 4 or 5
Q: Rate the challenges/issues of the 'cloud'/on-demand model
(1=not significant, 5=very significant)
Source: Frank Gens & IDC Enterprise Panel
7. Specific Customer Concerns Related to Security
Protection of intellectual property and data
Ability to enforce regulatory or contractual obligations
Unauthorized use of data
Confidentiality of data
Availability of data
Integrity of data
Ability to test or audit a provider’s environment
Other
30%
21%
15%
12%
9%
8%
6%
3%
Source: Deloitte Enterprise@Risk: Privacy and Data Protection Survey, 2007
10. Deployment Models
• Private Cloud
- Owned or leased by a single organization
- No public access
• Public Cloud
- Owned by an organization selling cloud services
• Managed Cloud
- Owned by a single organization
- No public access
• Community Cloud
- Shared by several organizations
- Supports a specific community that has shared concerns
• Hybrid Cloud
- Composition of 2 or more clouds
- Enable data & application portability (e.g. cloud bursting)
12. 14
Where is the Data? – Moving from Private to Public
Leads to a Real or Perceived Loss of Control
We Have Control
It’s located at X.
We have backups.
Our admins control
access.
Our uptime is sufficient.
The auditors are happy.
Our security team is
engaged.
Who Has Control?
Where is it located?
Who backs it up?
Who has access?
How resilient is it?
How do auditors
observe?
How does our security
team engage?
Of enterprises consider security
#1 inhibitor to cloud adoptions
80%
Of enterprises are concerned
about the reliability of clouds48%
Of respondents are concerned with
cloud interfering with their ability
to comply with regulations
33%
Source: Driving Profitable Growth Through Cloud Computing, IBM Study, 2008 (conducted by Oliver Wyman)
13. SaaS (Software as a Service)
IaaS (Infrastructure as a Service)
PaaS (Platform as a Service)
Public
CLoud
Private
Cloud
Hybrid
Cloud
IS Requirements
Notebook
Polices & Guidelines
Remote
Desktop
SLA
Database
Data Protection
Governance
Remote
Server
Risk Assessment
PC
Monitor
& Control
Mobile
Mini Note
Delivery and Deployment Model
14. Security Issues in SaaS
• Key security element should be carefully considered as an
integral part of the SaaS deployment process:
Data Security
Network Security
Data locality
Data integrity
Data access
Data Segregation
Authorization and
Authentication
Data Confidentiality
web Application security
Data Breaches
Virtualization vulnerability
Availability
Backup
Identity Management on
sign-on process
15. Security Issues in PaaS
• In PaaS, the provider might give some control to the
people to build applications on top of the platform.
• Any security below the application level such as host
and network intrusion prevention will still be in the
scope of the provider.
16. Security Issues in PaaS
• Securit y t hreat s are relat ed wit h securit y hole in Virt ualizat ion
• manager.
• OS Securit y issues also alive in I aaS.
18
17. Security Issues in IaaS
• Hackers are likely to attack visible code, including but not limited
to code running in user context.
• They are likely to attack the infrastructure and perform
extensive black box testing.
• The vulnerabilities of cloud are not only associated with the web
applications but also vulnerabilities associated with the machine-
to- machine Service Oriented Architecture (SOA) applications.
18. Security Implications of the Delivery Models
Service Security by
Cloud
Provider
Extensibility
SaaS Greatest Least
IaaS Least Greatest
PaaS Middle Middle
The lower down the stack the cloud provider stops, the more
security you are tactically responsible for implementing and
managing yourself
19. • Privileged access:
Who has specialized/privileged access to data?
Who decides about the hiring and management of
such administrators?
• Regulatory compliance:
Is the could vender willing to undergo external
audits and/or security certification?
• Data location:
Does the cloud service provider allow for any
control over the location of data?
Overall Security Concerns
20. • Data segregation :
Is encryption schemes designed and tested by
experienced professionals ?
• Recovery :
What happens to data in the case of a disaster, and
does the vendor offer complete restoration, and , if
so, How long does that process take ?
• Investigative Support :
Does the vendor have the ability to investigate any
inappropriate or illegal activity?
Overall Security Concerns
21. Continue Security Issues
• Long – term viability:
What happens to data if the cloud vendor goes out of
business, Is clients’ data returned and in what format?
• Data Availability:
Can the cloud vendor move all their clients’ data onto a
different environment should the existing environment
become compromised or unavailable ?
22. 29
Compliance
Complying with SOX, HIPPA
and other regulations may prohibit the use of
clouds for some applications. Comprehensive
auditing capabilities are essential.
High-level cloud security concerns
29
Less Control
Many companies and governments are
uncomfortable with the idea of their information
located on systems they do not control. Providers
must offer a high degree of security transparency to
help
put customers at ease.
Reliability
High availability will be a key concern. IT departments will
worry about a loss of service should outages occur.
Mission critical applications may not run in the cloud
without strong availability guarantees.
Security Management
Providers must supply easy, visual controls to
manage firewall and security settings for
applications and runtime environments in the
cloud.
Data Security
Migrating workloads to a shared network and
compute infrastructure increases the potential
for unauthorized exposure. Authentication and
access technologies become increasingly
important.
24. 32
Security Issues
1. Governance & Risk
Management
2. Compliance
3. Vulnerability & Patch
Management
4. Physical/ personal Security
5. Operational security
6. Availability
7. I ncident response
8. Privacy
9. Business Continuity
10. Legal I ssues
1. Data Security
2. I dentity Management
3. Single Sign On
4. Applications Security
5. Secure Multi- tenancy
6. Logs & Audit Trails (Forensics)
7. Cyber Security (DPI )
8. Encryption & Key Management
9. Virtualization Security
10. Storage security
11. I nformation Lifecycle
Management
25. 33
Data Security Issues
•Data Segregation
•Data Location
•DaR Protection
•DiM Protection
•Data I ntegrity
•Data Erasure at
EoS
•Data Compliance
•Data Loss
Prevention
•Contractual
Obligations/ SLAs
•Authentication
•Access Control
•Auditing Support
26. 34
Data Security in the Cloud
• Data will be
- St ored in mult i-t enant environment s
- Spanning mult iple layers in t he cloud st ack
- Accessed by various part ies of dif f erent t rust levels
- users, t enant s, privileged cloud admins
- Locat ed in various geographies
- Enf orced by various cont ract ual obligat ions/ SLAs
- Governed by various regulat ions and indust ry best pract ices
- Secured by mult iple t echnologies and services
A Shared, multi-tenant infrastructure increases potential for unauthorized exposure
27. • Authentication attacks: Authentication is a weak point in
hosted and virtual services and is frequently targeted. There
are many different ways to authenticate users; for example,
based on what a person knows, has, or is. The mechanisms
used to secure the authentication process and the methods
used are a frequent target of attackers.
• Man-in-the-middle cryptographic attacks: This attack is
carried out when an attacker places himself between two
users. Anytime attackers can place themselves in the
communication’s path, there is the possibility that they can
intercept and modify communications.
Security Attacks in Cloud
28. Security Attacks in Cloud
• Denial of Service (DoS) attacks: Some security
professionals have argued that the cloud is more vulnerable to
DoS attacks, because it is shared by many users, which makes
DoS attacks much more damaging. Twitter suffered a
devastating DoS attack during 2009.
• Side Channel attacks: An attacker could attempt to
compromise the cloud by placing a malicious virtual machine
in close proximity to a target cloud server and then launching
a side channel attack.
29. Security Attacks in Cloud
Network Security:
•Network penetration and packet analysis
•Session management weaknesses
•Insecure SSL trust configuration.
30. Security Attacks in Cloud
Web Application Security:
•Injection flaws like SQL, OS and LDAP injection
•Cross-site scripting
•Broken authentication and session management
•Insecure direct object references
•Cross-site request forgery
•Insecure cryptographic storage
•Failure to restrict URL access
•Insufficient transport layer protection
•Un-validated redirects and forwards.
Key Point: As security professionals, our work is cut out for us. Especially since the security concerns related to cloud computing are extremely simple to understand. Here are some examples:
> Losing control over data and operations is unsettling (“External” aspects of public clouds exacerbate this concern).
> Data transferred to a third party can be modified, lost, or stolen.
> A shared, multi-tenant infrastructure increases potential for unauthorized exposure.
> Service disruptions can have tremendous affects the business.
Then, I want to introduce about infrastructure models of cloud computing.
When it comes to delivering a cloud deployment there is a spectrum of deployment options available for you to choose from. The most common and written about is the public cloud option like Amazon Elastic Compute Cloud (EC2), or Google Apps. These cloud deployments allow any user with a credit card to gain access to the resources. To a private cloud deployment where all the resources are owned, managed and controlled by the enterprise. To gradations in between from third party managed, to third party hosted, to a very common emerging model called “shared cloud services” or “member cloud services.” Here you must be a member to access the services, and they can be made available to you typically in a shared resources option or a dedicated resources option, depending on your needs and configurations. It is this last model where IBM has offerings call IBM Smart Business Services on the IBM Cloud.
Finally you can merge the options between public and private and create what has been coined a “hybrid cloud”.
When it comes to deciding which cloud delivery option you want to choose it needs to tailored to the business, the time and money requirements, and the availability of the resources. There is a spectrum of delivery options, and there is no single right way.
Private
Implemented on client premises
Client runs/ manages
Managed private cloud
Third-party operated
Enterprise owned
Mission critical
Packaged applications
High compliancy
Hosted private cloud
Internal networkThird-party owned and operated
Standardization
Centralization
Security
Internal networkMix of shared and dedicated resources
Shared Cloud Services
Shared facility and staff
Virtual private network (VPN) access
Subscription or membership basedShared resources
Public Cloud
Elastic scaling
Pay as you go
Public Internet
A Hybrid cloud solution is some mix of private and public integrated with your traditional IT to deliver the cloud solution to the end user and can involve any of the public to private options.
Key message: Security doesn’t change when you move to the cloud, but the way in which we integrate, deploy, and manage security does.
Click 1+2: Discuss how security is done today. (read through the bullets on the slide)
Click 3+4: Discuss how security will look with a remote/public cloud.
Point 1) Cloud is about not knowing the details. We don’t care about the underlying infrastructure, we care about the business services running on top of the cloud – physical machines, networking gear, and in some cases operating systems, middleware and applications are irrelevant to the customer. However, security is about knowing all the details (patch levels, networking protocols, application code, etc). Cloud providers must offer customers the ability to see what’s behind the curtain and give information about what security tools are in place.
Point 2) Nothing here is new. We’ve dealt with many of these problems before in Strategic Outsourcing, SOA, etc. Security remains the same - it's about providing confidentiality, integrity, and availability. In most cases, security technologies and the products they construct will remain the same when applied to cloud environments - encryption, access control, intrusion prevention, isolation, etc. However, the speed in which cloud services can be assembled and terminated (often without the Security Admin’s knowledge or permission) offers some new challenges for security vendors and cloud providers alike.
Key point: Some concerns are more relevant to the cloud than others, these are the most frequently discussed.
Less control: Uncomfortable with the idea of their information on systems they do not own in-house.
Cloud computing changes some of the basic expectations and relationships that influence how we assess security and perceive risk. In the cloud, it’s difficult to physically locate where data is stored. Security processes, once visible, are now hidden behind layers of abstraction. Even the most basic tasks, such as applying patches and configuring firewalls, may become the responsibility of the cloud operator, not the end user. While the intent of security remains the same - to ensure the confidentiality, integrity, and availability of information - cloud computing shifts control over data and operations. This forces us think about security in terms of the cloud provider, the custodian of our information, and how they ultimately implement, deploy, and manage security on our behalf.
Data Security: A shared, multi-tenant infrastructure increases potential for unauthorized exposure. Especially in the case of public-facing clouds.
Data will be
Stored in multi-tenant environments, spanning multiple layers in the cloud stack
Accessed by various parties of different trust levels (users, tenants, privileged cloud admins)
Located in various geographies
Enforced by various contractual obligations and SLAs
Governed by various regulations and industry best practices
Secured by multiple technologies and services
Reliability: They are worried about service disruptions affecting the business.
Compliance: Regulations may prohibit the use of clouds for certain workloads and data.
Security Management: How will today’s enterprise security controls be represented in the cloud?
Public clouds maximize concerns. Hybrid & private clouds resonate with clients in demand of higher assurance.
Now I will list here some security issues in cloud computing.