1 / 50

Lecture 7 Security in Cloud Computing

Lecture 7 Security in Cloud Computing. Asst.Prof . Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th. Subwaves within the information age. Evolution of Cloud Computing. Cloud computing is a low-cost solution. Cloud computing offers responsiveness and flexibility.

rufina
Télécharger la présentation

Lecture 7 Security in Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 7Security in Cloud Computing Asst.Prof. Supakorn Kungpisdan, Ph.D. supakorn@mut.ac.th

  2. NETE4630 Advanced Network Security and Implementation Subwaves within the information age

  3. NETE4630 Advanced Network Security and Implementation Evolution of Cloud Computing

  4. Cloud computing is a low-cost solution. Cloud computing offers responsiveness and flexibility. The IT expense matches the transaction volumes. Business users are in direct control of technology decisions. The line between home computing applications and enterprise applications will blur. NETE4630 Advanced Network Security and Implementation Why Cloud?

  5. NETE4630 Advanced Network Security and Implementation Sources of incremental IT spending growth

  6. NETE4630 Advanced Network Security and Implementation Worldwide IT cloud services spending

  7. ISP 1.0 • ISPs quickly proliferated to provide access to the Internet for organizations and individuals. • These early ISPs merely provided Internet connectivity for users and small businesses, often over dial-up telephone service. ISP2.0 • As access to the Internet became a commodity, ISPs consolidated and searched for other value-added services, such as providing access to email and to servers at their facilities. NETE4630 Advanced Network Security and Implementation Evolution of Cloud Computing (cont.)

  8. ISP3.0 • Colocation facilities: specialized facilities for hosting organizations’ (customers’) servers, along with the infrastructure to support them and the applications running on them. • Those facilities are “a type of data center where multiple customers locate network, server, and storage gear and interconnect to a variety of telecommunications and other network service provider(s) with a minimum of cost and complexity.” NETE4630 Advanced Network Security and Implementation Evolution of Cloud Computing (cont.)

  9. ISP4.0 • As collocation facilities proliferated and became commoditized, the next step in the evolution was the formation of application service providers (ASPs), which focused on a higher value-added service of providing specialized applications for organizations, and not just the computing infrastructure. • ASPs typically owned and operated the software application(s) they provided, as well as the necessary infrastructure. NETE4630 Advanced Network Security and Implementation Evolution of Cloud Computing (cont.)

  10. Although ASPs might appear similar to a service delivery model of cloud computing that is referred to as software-as-a-service (SaaS), there is an important difference in how these services are provided, and in the business model. Although ASPs usually provided services to multiple customers (just as SaaS providers do today), they did so through dedicated infrastructures. That is, each customer had its own dedicated instance of an application, and that instance usually ran on a dedicated host or server. The important difference between SaaS providers and ASPs is that SaaS providers offer access to applications on a shared, not dedicated, infrastructure. NETE4630 Advanced Network Security and Implementation Cloud Computing (ISP5.0)

  11. NETE4630 Advanced Network Security and Implementation Cloud Computing Defined

  12. NETE4630 Advanced Network Security and Implementation Attributes of Elasticity

  13. NETE4630 Advanced Network Security and Implementation Notable Cloud Launches

  14. NETE4630 Advanced Network Security and Implementation SPI Service Model

  15. NETE4630 Advanced Network Security and Implementation Architecture for Relevant Technologies

  16. NETE4630 Advanced Network Security and Implementation Cloud Services Delivery Model

  17. Private Clouds Public Clouds Hybrid Clouds NETE4630 Advanced Network Security and Implementation Cloud Deployment Model

  18. NETE4630 Advanced Network Security and Implementation Cloud Service Deployment Model

  19. NETE4630 Advanced Network Security and Implementation Public Clouds

  20. NETE4630 Advanced Network Security and Implementation Hybrid Clouds

  21. NETE4630 Advanced Network Security and Implementation Key Drivers to Adopting Clouds • Small Initial Investment and Low Ongoing Costs • Economies of Scale • Open Standards • Sustainability

  22. NETE4630 Advanced Network Security and Implementation Governance in the Cloud

  23. NETE4630 Advanced Network Security and Implementation Barriers to Cloud Computing Adoption in the Enterprise • Security • Privacy • Connectivity and Open Access • Reliability • Interoperability • Independence from CSPs • Economic Value • Changes in the IT Organization • IT Governance • Political Issues Due to Global Boundaries

  24. NETE4630 Advanced Network Security and Implementation Complexity of security in cloud environment

  25. NETE4630 Advanced Network Security and Implementation Security Issues in Service Models • Security in SaaS • Most enterprises are still uncomfortable with the SaaS model due to lack of visibility about the way their data is stored and secured. • Security in IaaS • IaaS only provides basic security (perimeter firewall, load balancing, etc.) and applications moving into the cloud will need higher levels of security provided at the host. • Security in PaaS • PaaSoffers an integrated set of developer environment that a developer can tap to build their applications without having any clue about what is going on underneath the service. • This can be helpful for a hacker to leverage the PaaS cloud infrastructure for malware command and control and go behind IaaS applications.

  26. NETE4630 Advanced Network Security and Implementation Security for the SaaS Stack

  27. In a traditional on-premise application deployment model, sensitive data of each enterprise continues to reside within the enterprise boundary and is subject to its physical, logical and personnel security and access control policies. In SaaS model, the enterprise data is stored outside the enterprise boundary, at the SaaS vendor end. EC2 Administrators with a business need are required to use their individual cryptographi- cally strong Secure Shell (SSH) keys to gain access to a host. All such accesses are logged and routinely audited. Data at rest in Simple Storage Service (S3) is not encrypted by default, users can encrypt their data before it is uploaded to Amazon S3, so that it is not accessed or tampered with by any unauthorized party. NETE4630 Advanced Network Security and Implementation Security for the SaaS StackData Security

  28. Cross-site scripting [XSS] Access control weaknesses OS and SQL injection flaws Cross-site request forgery [CSRF] Cookie manipulation Hidden field manipulation Insecure storage Insecure configuration NETE4630 Advanced Network Security and Implementation Possible Vulnerabilities in SaaS

  29. Sensitive data is obtained from the enterprises, processed by the SaaS application and stored at the SaaS vendor end. All data flow over the network needs to be secured in order to prevent leakage of sensitive information. This involves the use of strong network traffic encryption techniques such as Secure Socket Layer (SSL) and the Transport Layer Security (TLS) for security. NETE4630 Advanced Network Security and Implementation Security for the SaaS StackNetwork Security

  30. Customer does not know where the data is getting stored. Due to compliance and data privacy laws in various countries, locality of data is of utmost importance in many enterprise architecture. In many EU and South America countries, certain types of data cannot leave the country because of potentially sensitive information. A secure SaaS model must be capable of providing reliability to the customer on the location of the data of the consumer. NETE4630 Advanced Network Security and Implementation Data Locality

  31. Each SaaS application may have different levels of availability and SLA (service-level agreement), which further complicates management of transactions and data integrity across multiple SaaS applications. The lack of integrity controls at the data level (or, in the case of existing integrity controls, bypassing the application logic to access the database directly) could result in problems. NETE4630 Advanced Network Security and Implementation Data Integrity

  32. data of various users will reside at the same location. Intrusion of data of one user by another becomes possible in this environment. A SaaS model should therefore ensure a clear boundary for each user’s data. The boundary must be ensured not only at the physical level but also at the application level. Possible Attacks include SQL injection flaws, Data validation, and Insecure storage. NETE4630 Advanced Network Security and Implementation Data Segregation

  33. The SaaS model must be flexible enough to incorporate the specific policies put forward by the organization. The model must also be able to provide organizational boundary within the cloud because multiple organization will be deploying their business processes within a single cloud environment. NETE4630 Advanced Network Security and Implementation Data Access

  34. With SaaS, the software is hosted outside of the corporate firewall. Many a times user credentials are stored in the SaaS providers’ databases and not as part of the corporate IT infrastructure. This means SaaS customers must remember to remove/disable accounts as employees leave the company and create/enable accounts as come onboard. NETE4630 Advanced Network Security and Implementation Authentication and Authorization

  35. Some vulnerability has been found in all virtualization software which can be exploited by malicious, local users to bypass certain security restrictions or gain privileges. For example, the vulnerability of Microsoft Virtual PC and Microsoft Virtual Server could allow a guest operating system user to run code on the host or another guest operating system. Vulnerability in Virtual PC and Virtual Server could allow elevation of privilege. NETE4630 Advanced Network Security and Implementation Vulnerabilities in Virtualization

  36. A multi-tier architecture needs to be adopted, supported by a load-balanced farm of application instances, running on a variable number of servers. Resiliency to hardware/software failures, as well as to denial of service attacks, needs to be built from the ground up within the application. NETE4630 Advanced Network Security and Implementation Availability

  37. The SaaS vendor needs to ensure that all sensitive enterprise data is regularly backed up to facilitate quick recovery in case of disasters. The use of strong encryption schemes to protect the backup data is recommended In the case of cloud vendors such as Amazon, the data at rest in S3 is not encrypted by default. The users need to separately encrypt their data and backups so that it cannot be accessed or tampered with by unauthorized parties. NETE4630 Advanced Network Security and Implementation Backups

  38. NETE4630 Advanced Network Security and Implementation Identity Management

  39. Provider might give some control to the people to build applications on top of the platform. But any security below the application level such as host and network intrusion prevention will still be in the scope of the provider and the provider has to offer strong assurances that the data remains inaccessible between applications. PaaS is intended to enable developers to build their own applications on top of the platform. NETE4630 Advanced Network Security and Implementation Security in PaaS

  40. Hackers are likely to attack visible code, including but not limited to code running in user context. They are likely to attack the infrastructure and perform extensive black box testing. The vulnerabilities of cloud are not only associated with the web applications but also vulnerabilities associated with the machine-to-machine Service-Oriented Architecture (SOA) applications, which are increasingly being deployed in the cloud. NETE4630 Advanced Network Security and Implementation Security in PaaS (cont.)

  41. With IaaS the developer has better control over the security as long as there is no security hole in the virtualization manager. The security responsibilities of both the provider and the consumer greatly differ between cloud service models. Amazon’s EC2 infrastructure as a service offering includes vendor responsibility for security up to the hypervisor, meaning they can only address security controls such as physical security, environmental security, and virtualization security. The consumer, in turn, is responsible for the security controls that relate to the IT system including the OS, applications and data NETE4630 Advanced Network Security and Implementation Security Issues in IaaS

  42. NETE4630 Advanced Network Security and Implementation Security Management and Monitoring Scope

  43. NETE4630 Advanced Network Security and Implementation ITIL Life Cycle in Enterprise

  44. Availability management (ITIL) Access control (ISO/IEC 27002, ITIL) Vulnerability management (ISO/IEC 27002) Patch management (ITIL) Configuration management (ITIL) Incident response (ISO/IEC 27002) System use and access monitoring (ISO/IEC 27002) NETE4630 Advanced Network Security and Implementation Security Management in Clouds

  45. Email filtering (including backup, archival, and e-discovery) Web content filtering; vulnerability management Identity-as-a-service (spelled as IDaaS). NETE4630 Advanced Network Security and Implementation Security-as-a-Service

  46. SaaS for email primarily involves cleansing spam, phishing emails, and malware included in email from an organization’s incoming email stream, and then delivering that clean email securely to the organization so that it is effectively not repolluted. Not only more comprehensive security for clients due to the use of multiple engines, but also better performance of those client devices (because the anti-malware runs in the cloud and not on the endpoint directly), as well as far better anti-malware management. Provide email encryption, SSL tunnel between email servers, backups and recovery NETE4630 Advanced Network Security and Implementation Email Filtering

  47. NETE4630 Advanced Network Security and Implementation Web Content Filtering

  48. Discover, prioritize, and assess systems for vulnerabilities, and then report and remediate those vulnerabilities and verify the systems’ secure operation. Monitor for and report on compliance with some regulatory requirements (e.g., the Payment Card Industry’s Data Security Standard). NETE4630 Advanced Network Security and Implementation Vulnerability Management

  49. NETE4630 Advanced Network Security and Implementation Identity Management-As-a-Service

  50. NETE4630 Advanced Network Security and Implementation Questions?

More Related