740 likes | 1.1k Vues
CLOUD COMPUTING. BTEC Pearson Higher Nationals in Computing. Learning Outcomes. Learning Outcomes. LO4 - Analyse the technical challenges for cloud applications and assess their risks. Security aspects:. Data Security, Virtualisation , Network Security. Security aspects: Data Security.
E N D
CLOUD COMPUTING BTEC Pearson Higher Nationals in Computing
Learning Outcomes • LO4 - Analyse the technical challenges for cloud applications and assess their risks.
Security aspects: • Data Security, • Virtualisation, • Network Security
Security aspects: Data Security • A number of security threats are associated with cloud data services: not only traditional security threats, such as network eavesdropping, illegal invasion, and denial of service attacks, but also specific cloud computing threats, such as side channel attacks, virtualization vulnerabilities, and abuse of cloud services.
Security aspects: Data Security • The following security requirements limit the threats: • Confidentiality • Data confidentiality is the property that data contents are not made available or disclosed to illegal users. • Outsourced data is stored in a cloud and out of the owners' direct control. • Only authorized users can access the sensitive data while others, including CSPs, should not gain any information of the data. • Data owners expect to fully utilize cloud data services, e.g., data search, data computation, and data sharing, without the leakage of the data contents to CSPs or other adversaries.
Security aspects: Data Security • The following security requirements limit the threats: • Access controllability • Access controllability means that a data owner can perform the selective restriction of access to her or his data outsourced to cloud. • Legal users can be authorized by the owner to access the data, while others can not access it without permissions. • It is desirable to enforce fine-grained access control to the outsourced data, i.e., different users should be granted different access privileges with regard to different data pieces. • The access authorization must be controlled only by the owner in untrusted cloud environments.
Security aspects: Data Security • The following security requirements limit the threats: • Integrity • Data integrity demands maintaining and assuring the accuracy and completeness of data. • A data owner always expects that her or his data in a cloud can be stored correctly and trustworthily. • It means that the data should not be illegally tampered, improperly modified, deliberately deleted, or maliciously fabricated. • If any undesirable operations corrupt or delete the data, the owner should be able to detect the corruption or loss. • When a portion of the outsourced data is corrupted or lost, it can still be retrieved by the data users.
Security aspects: Virtualisation • Virtualization is the key to enabling a Cloud Computing environment. • In a multi-tenant environment it becomes vital that there is isolation between processes catering to different organizations. • A bug in application or operating system can lead to isolation violation. • The solution to such a problem to cater multiple organizations (tenants) is either by allocating separate physical machines or simply separate virtual machines.
Security aspects: Virtualisation • Virtualization in this situation becomes a more cost effective solution as we may not require entire available resources rather we may only use slice of resources in particular machine. • One of the essential requirements of cloud provider is rapid elasticity, where resources can be added or removed depending on current demand by client organization. Cloud providers can add new virtual servers/machines or remove them easily.
Security aspects: Virtualisation • Another advantage of virtualization is portability. • It is easy to move virtual machines from one physical machine to another, when maintenance work is required.
Security aspects: Virtualisation • There are two types of virtualization in cloud environment. These are: • Full Virtualization • Para Virtualization • In full virtualization, complete hardware architecture is replicated using virtual machines. • In para virtualization, an operating system is altered with the goal that it can be run simultaneously with other operating systems.
Security aspects: Virtualisation • Virtual machine instance isolation guarantees that diverse instances running on the same physical machine are isolated from one another. • Nonetheless, offering perfect isolation is not possible by current VMMs. • Numerous bugs have been discovered in all prominent VMMs that permit getting into the host OS. • All virtualization software at least as of now can be abused by harmful clients to sidestep certain security confinements.
Security aspects: Virtualisation • The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. • Virtualization alters the relationship between the OS and underlying hardware – be it computing, storage or even networking. • This introduces an additional layer – virtualization – that itself must be properly configured, managed and secured.
Security aspects: Virtualisation • Specific concerns include the potential to compromise the virtualization software, or "hypervisor". While these concerns are largely theoretical, they do exist. • For example, a breach in the administrator workstation with the management software of the virtualization software can cause the whole datacenter to go down or be reconfigured to an attacker's liking.
Security aspects: Network Security • There are some risky kind of threats which are not particular to cloud environment, but launched immensely in cloud system. • This is because of cloud system characteristics and their generality. These hazards are recorded beneath:
Security aspects: Network Security • Cross Site Scripting (XSS) Attacks • In this kind of assault noxious script is injected into web. • There are two strategies of XSS attack: • Stored XSS and Reflected XSS • In Stored XSS, the noxious code is stored permanently in an asset handled by web application. • In Reflected XSS, the noxious code is not stored permanently. Indeed it is instantly returned back to the client.
Security aspects: Network Security • Working of XSS attack
Security aspects: Network Security • Sniffer Attacks • These kind of assaults are propelled by applications which can catch packets streaming in a network. • If the information that is being exchanged through these packets are not encrypted, it can be perused. • A sniffer program, through the network interface card (NIC) guarantees that information or traffic attached to different frameworks on the network additionally gets recorded.
Security aspects: Network Security • SQL Injection Attacks • A harmful code is embedded into a standard SQL query. • Therefore attacker gets an illicit access to a database. • Attacker is capable to access or change some sensitive information of any cloud user or organization.
Security aspects: Network Security • Denial of Service (DOS) Attacks • An effort to make network services unavailable to approved users is called as DoS attack. • The server delivering services are overwhelmed by countless requests. Thus services cannot be made available to approved clients. • Sometimes, when user attempt to access a site he observes that he is unable to access the site and an error massage is displayed. It is due to over-burdening of the server with large number of requests to access the site.
Security aspects: Network Security • Man-in-the-Middle Attacks • In such an assault, an intruder tries to meddle in a continuous discussion between sender and receiver to infuse false data and to have knowledge of the critical information exchange between them.
Security aspects: Network Security • Distributed Denial of Service (DDoS) Attacks • Extended form of DoS attack is DDoS attack. • DDoS attack make use of many machines and internet connections. • Attacker uses a group of agents to send DDoS attack commands repeatedly to the target system. • Sudden traffic can lead to load the website very slowly to their intended users. Sometimes this traffic is so high that it shuts down the site completely.
Security aspects: Network Security • Reused IP Addresses • At the point when a specific client moves out of a network, then that IP address (prior) is assigned to another new client. • However the old IP address is being relocated to another client has the possibilities of getting information by some other client. This fact is not declined as the DNS cache holds the prior IP address. • The privacy of the prior client is violated as information belonging to the prior client has open access to some other new client.
Security aspects: Network Security • Security Issues Related to the Hypervisor • Virtualization is main concept in cloud computing. • In virtualization, hypervisor is also known as virtual machine monitor (VMM) which act as controller. • VMM is responsible to run multiple operating systems at a time on a host system. • As multiple operating systems are running on a single system, it is difficult to supervise all the systems.
Security aspects: Network Security • Security Issues Related to the Hypervisor • Hence it is very hard to maintain the security of each one. • Sometimes guest OS try to execute a virulent code on host OS. • This may lead to take the host system down, take full control host system and obstruct the access to all other guest systems.
Security aspects: Network Security • Google Hacking • Google application engine is the well-known solution supplier in the area of cloud computing. • This engine utilizes a distributed architecture known as Google geo-distributed architecture. • In this attack, the hacker looks all the conceivable frameworks with an escape clause and discovers those having the provisions he/she wishes to hack upon.
Security aspects: Network Security • Cookie Poisoning • To have an access of an intruder to a webpage, it involves changing or altering the contents of cookie. • User identity related credentials like username and password etc., are stored in cookies. • Once these cookies will be accessible, its content can be changed to approve unauthorized user.
Security aspects: Network Security • Working of Cookie Poisoning Attack
Security aspects: Network Security • Cracking CAPTCHA • In recent study, it has been discovered that the spammers are able to break the CAPTCHA, given by the suppliers like Gmail, Hotmail etc. • Spammers utilize audio system which is used to read the CAPTCHA for the visually impaired internet clients.
Platform related security: • SaaS Security issues • PaaS Security Issues • IaaS Security Issues • Audit and Compliance
SaaS Security issues • SaaS security challenges: • Data security • Application security • Deployment security
SaaS Security issues • Data Security • Data is one of the most important assets for users which must be kept secure. • Data resides in the database which is outside the boundary of the enterprise and depends on the provider for proper security measures.
SaaS Security issues • Data Security • Since multi-tenancy through virtualization is a major feature for SaaS, SaaS providers are questioned if they can provide isolated environment for each user in which none of them can see each other’s data without permission. • SaaS consumers have no idea “how strong the access control system is?” to prevent unauthorized access. • The transmission channel between SaaS providers and users is not considered always secure.
SaaS Security issues • Data Security • Some providers only use SSL during login session, leaving user data unprotected in following sessions. • In addition, data backup and recovery should be taken into consideration by SaaS provider to minimize the impact of accidents.
SaaS Security issues • Application Security • SaaS applications are mostly used and managed over the web. They are presented to users in a browser. • This makes it inevitable to confront the security challenges such as SQL injection, Cross-site scripting and Cross-site Request Forgery. • API is the backbone of SaaS platform which aims to deal with heterogeneity and allow automation of common process that interact with services running on another machine.
SaaS Security issues • Application Security • The benefit of API to SaaS is significant, but it is also plagued with security issues. • Poorly coded APIs can be easily abused or misused by an attacker. • Web service is a software system designed to support machine-to-machine interaction over network. • WSDl and SOAP are used largely by SaaS applications, typically conveyed using HTTP with an XML serialization.
SaaS Security issues • Application Security • These techniques, however, are found to be vulnerable to various attacks such as XML wrapping attacks and WSDL scanning. • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack is another security concern which can bring down the SaaS services for hours if there is no efficient countermeasures in place.
SaaS Security issues • Application Security • In addition, rampant malware concealed in the SaaS platform is another threat targeting the user. • As people tend to access SaaS applications via mobile devices, substantial amount of malware began to surface targeted at mobile devices, especially on Android-based devices.
SaaS Security issues • Software-as-a-Service Deployment Security • Virtualization refers to the act of creating different in-stances on hardware and on each instance a guest OS is installed. • SaaS is largely built on virtualization technology to provide multi-tenancy. However, the vulnerability and weakness of virtualization affects the SaaS security.
SaaS Security issues • Software-as-a-Service Deployment Security • Even rootkit attackers can gain access to the running instance hosted on the hypervisor, thus, can monitor another VM’s resources and CPU utilization, read inbound and outbound traffic of another instance and shut down any instances. • Virtual network in SaaS can also degrade the security level
PaaS Security issues • Interoperability • Interoperability is the ability for different cloud to talk to each other at three different levels (SaaS, PaaS and IaaS). • It is actually the ability to write code that works with more than one cloud provider simultaneously, regardless of the differences between the providers. • Application written to use specific services from a vendor's PaaS will require changes to use similar services from another vendor's PaaS.
PaaS Security issues • Interoperability • Efforts are taken on development of open and proprietary standard API's to enable cloud management, security, and interoperability. Common container formats like DMTF’S Open Virtualization Format (OVF) can be used. • Application written to those standards is far more likely to be interoperable and portable. Interoperability can be maintained by providing common interfaces to objects for resource access.
PaaS Security issues • Interoperability • Trusted Computing Base (TCB) is the solution for the mentioned issue. TCB is collection of executable code and configuration files that are considered to be secure which is installed as a layer over the operating system and provides a standardized application programming interface(API) for user objects.
PaaS Security issues • Interoperability • TCB code is minimized to avoid complexity in codes and security flaws. TCB is built by resource classification, setting resource assignment rules and evaluating resource access requests. • Interoperability can be achieved by installation of TCB on each and every host and assignment of resource through TCB. • Attacks from objects to hosts can be prevented as every resource assignment is checked by TCB.
PaaS Security issues • Host Vulnerability • Vulnerability may be described in terms of resistance to a certain type of attack. • Multitenancy allows user objects to be spread over interconnected multi-user hosts. Hosts have to be protected from attacks in such an environment. • If this protection fails, an attacker can easily access the resources of host and also tenant objects. • Provider has to take necessary security measures. TCB serves as solution for host vulnerability also.