Lecture 7 Security in Cloud Computing

1
Lecture 7Security in Cloud Computing

• Asst.Prof. Supakorn Kungpisdan, Ph.D.
• supakorn_at_mut.ac.th

2
Subwaves within the information age
3
Why Cloud?

• Cloud computing is a low-cost solution.
• Cloud computing offers responsiveness and
  flexibility.
• The IT expense matches the transaction volumes.
• Business users are in direct control of
  technology decisions.
• The line between home computing applications and
  enterprise applications will blur.

4
Sources of incremental IT spending growth
5
Worldwide IT cloud services spending
6
Evolution of Cloud Computing
7
Evolution of Cloud Computing (cont.)

• ISP 1.0
• ISPs quickly proliferated to provide access to
  the Internet for organizations and individuals.
• These early ISPs merely provided Internet
  connectivity for users and small businesses,
  often over dial-up telephone service.
• ISP2.0
• ISPs consolidated and searched for other
  value-added services, such as providing access to
  email and to servers at their facilities.

8
Evolution of Cloud Computing (cont.)

• ISP3.0
• Colocation facilities specialized facilities for
  hosting organizations (customers) servers,
  along with the infrastructure to support them and
  the applications running on them.
• Those facilities are a type of data center where
  multiple customers locate network, server, and
  storage gear and interconnect to a variety of
  telecommunications and other network service
  provider(s) with a minimum of cost and
  complexity.

9
Evolution of Cloud Computing (cont.)

• ISP4.0
• Application Service Providers (ASPs), focusing on
  a higher value-added service of providing
  specialized applications for organizations, and
  not just the computing infrastructure.
• ASPs typically owned and operated the software
  application(s) they provided, as well as the
  necessary infrastructure.

10
Cloud Computing (ISP5.0)

• Although ASPs usually provided services to
  multiple customers (just as SaaS providers do
  today), they did so through dedicated
  infrastructures. Each customer had its own
  dedicated instance of an application, and that
  instance usually ran on a dedicated host or
  server.
• The important difference between SaaS providers
  and ASPs is that SaaS providers offer access to
  applications on a shared, not dedicated,
  infrastructure.

11
Cloud Computing Defined
Properties Descriptions
Multi-tenancy (shared resources) cloud computing is based on a business model in which resources are shared at the network level, host level, and application level.
Massive scalability cloud computing provides the ability to scale to tens of thousands of systems, as well as the ability to massively scale bandwidth and storage space
Elasticity Users rapidly increase and decrease their computing resources as needed, as well as release resources for other uses when they are no longer required.
Pay as you go Users pay for only the resources they actually use and for only the time they require them.
Self-provisioning of resources Users self-provision resources, such as additional systems (processing capability, software, storage) and network resources
12
Attributes of Elasticity
13
Notable Cloud Launches
14
SPI Service Model
15
Architecture for Relevant Technologies
16
Cloud Services Delivery Model
17
Cloud Deployment Model

• Private Clouds
• Public Clouds
• Hybrid Clouds

18
Cloud Service Deployment Model
19
Public Clouds
20
Hybrid Clouds
21
Key Drivers to Adopting Clouds

• Small Initial Investment and Low Ongoing Costs
• Economies of Scale

• Open Standards
• Sustainability

22
Governance in the Cloud
23
Barriers to Cloud Computing Adoption in the
Enterprise

• Security
• Privacy
• Connectivity and Open Access
• Reliability
• Interoperability
• Independence from Cloud Service Providers

• Economic Value
• Changes in the IT Organization
• IT Governance
• Political Issues Due to Global Boundaries

24
Complexity of security in cloud environment
25
Security Issues in Service Models

• Security in SaaS
• Enterprises lack of visibility about the way
  their data is stored and secured.
• Security in IaaS
• IaaS only provides basic security (perimeter
  firewall, load balancing, etc.)
• Applications moving into the cloud will need
  higher levels

• Security in PaaS
• A developer can tap to build their applications
  without having any clue about what is going on
  underneath the service.
• A hacker can leverage the PaaS cloud
  infrastructure for malware command and control
  and go behind IaaS applications.

26
Security for SaaS Stack
27
Security for the SaaS StackData Security

• In a traditional on-premise application model,
  sensitive data of each enterprise continues to
  reside within the enterprise boundary and is
  subject to its physical, logical and personnel
  security and access control policies.
• In SaaS model, the enterprise data is stored
  outside the enterprise boundary, at the SaaS
  vendor end.
• EC2 Administrators with a business need are
  required to use their individual Secure Shell
  (SSH) keys to gain access to a host. All such
  accesses are logged and routinely audited.
• Data at rest in Simple Storage Service (S3) is
  not encrypted by default, users can encrypt their
  data before it is uploaded to Amazon S3

28
Possible Vulnerabilities in SaaS

• Cross-site scripting XSS
• Access control weaknesses
• OS and SQL injection flaws
• Cross-site request forgery (CSRF)
• Cookie manipulation
• Insecure storage
• Insecure configuration

29
Security for the SaaS StackNetwork Security

• Sensitive data is obtained from the enterprises,
  processed by the SaaS application and stored at
  the SaaS vendor end.
• This involves the use of strong network traffic
  encryption techniques such as Secure Socket Layer
  (SSL) and the Transport Layer Security (TLS) for
  security.

30
Security for the SaaS StackData Locality

• Customer does not know where the data is getting
  stored.
• Due to compliance and data privacy laws in
  various countries, locality of data is of utmost
  importance in many enterprise architecture.
• In many EU and South America countries, certain
  types of data cannot leave the country because of
  potentially sensitive information.
• A secure SaaS model must be capable of providing
  reliability to the customer on the location of
  the data of the consumer.

31
Security for the SaaS StackData Integrity

• Each SaaS application may have different levels
  of availability and SLA, which further
  complicates management of transactions and data
  integrity across multiple SaaS applications.
• The lack of integrity controls at the data level
  (or, in the case of existing integrity controls,
  bypassing the application logic to access the
  database directly) could result in problems.

32
Security for the SaaS StackData Segregation

• Data of various users resides at the same
  location.
• Intrusion of data of one user by another becomes
  possible in this environment.
• A SaaS model should ensure a clear boundary for
  each users data.
• Possible Attacks include SQL injection flaws,
  Data validation, and Insecure storage.

33
Security for the SaaS StackData Access

• The SaaS model must be flexible enough to
  incorporate the specific policies put forward by
  the organization.
• It must also be able to provide organizational
  boundary within the cloud because multiple
  organization will be deploying their business
  processes within a single cloud environment.

34
Security for the SaaS StackAuthentication and
Authorization

• With SaaS, the software is hosted outside of the
  corporate firewall.
• Many a times user credentials are stored in the
  SaaS providers databases and not as part of the
  corporate IT infrastructure.
• SaaS customers must remember to remove/disable
  accounts as employees leave the company and
  create/enable accounts as come onboard.

35
Security for the SaaS StackVulnerabilities in
Virtualization

• Some vulnerability has been found in all
  virtualization software which can be exploited by
  malicious, local users to bypass certain security
  restrictions or gain privileges.
• Vulnerability of Microsoft Virtual PC and
  Microsoft Virtual Server could allow a guest
  operating system user to run code on the host or
  another guest operating system.
• Vulnerability in Virtual PC and Virtual Server
  could allow elevation of privilege.

36
Security for the SaaS StackAvailability

• A multi-tier architecture needs to be adopted,
  supported by a load-balanced farm of application
  instances, running on a variable number of
  servers.
• Resiliency to hardware/software failures, as well
  as to denial of service attacks, needs to be
  built from the ground up within the application.

37
Security for the SaaS StackBackups

• SaaS vendor needs to ensure that all sensitive
  enterprise data is regularly backed up to
  facilitate quick recovery in case of disasters.
• The use of strong encryption schemes to protect
  the backup data is recommended
• In the case of cloud vendors such as Amazon, the
  data at rest in S3 is not encrypted by default.
  The users need to separately encrypt their data
  and backups so that it cannot be accessed or
  tampered with by unauthorized parties.

38
Security for the SaaS StackIdentity Management
39
Security in PaaS

• Provider might give some control to the people to
  build applications on top of the platform.
• But any security below the application level such
  as host and network intrusion prevention will
  still be in the scope of the provider and the
  provider has to offer strong assurances that the
  data remains inaccessible between applications.
• PaaS is intended to enable developers to build
  their own applications on top of the platform.

40
Security in PaaS (cont.)

• Hackers are likely to attack visible code,
  including but not limited to code running in user
  context.
• They are likely to attack the infrastructure and
  perform extensive black box testing.
• The vulnerabilities of cloud are not only
  associated with the web applications but also
  vulnerabilities associated with the
  machine-to-machine Service-Oriented Architecture
  (SOA) applications

41
Security Issues in IaaS

• Developer has better control over the security as
  long as there is no security hole in the
  virtualization manager.
• Security responsibilities of both the provider
  and the consumer greatly differ between cloud
  service models.
• Amazons EC2 infrastructure as a service offering
  includes vendor responsibility for security up to
  the hypervisor, meaning they can only address
  security controls such as physical security,
  environmental security, and virtualization
  security.
• The consumer is responsible for the security
  controls that relate to the IT system including
  the OS, applications and data

42
Security Management and Monitoring Scope
43
ITIL Life Cycle in Enterprise
44
Security Management in Clouds

• Availability management (ITIL)
• Access control (ISO/IEC 27002, ITIL)
• Vulnerability management (ISO/IEC 27002)
• Patch management (ITIL)
• Configuration management (ITIL)
• Incident response (ISO/IEC 27002)
• System use and access monitoring (ISO/IEC 27002)

45
Security-as-a-Service

• Email filtering (including backup, archival, and
  e-discovery)
• Web content filtering vulnerability management
• Identity-as-a-service (spelled as IDaaS).

46
Email Filtering

• SaaS for email primarily involves cleansing spam,
  phishing emails, and malware included in email
  from an organizations incoming email stream, and
  then delivering that clean email securely to the
  organization so that it is effectively not
  repolluted.
• Not only more comprehensive security for clients
  due to the use of multiple engines, but also
  better performance of those client devices
  (because the anti-malware runs in the cloud and
  not on the endpoint directly), as well as far
  better anti-malware management.
• Provide email encryption, SSL tunnel between
  email servers, backups and recovery

47
Web Content Filtering
48
Vulnerability Management

• Discover, prioritize, and assess systems for
  vulnerabilities, and then report and remediate
  those vulnerabilities and verify the systems
  secure operation.
• Monitor for and report on compliance with some
  regulatory requirements (e.g., the Payment Card
  Industrys Data Security Standard).

49
Identity Management-As-a-Service
50
Questions?