Cloud computing
-
Upload
akanksha-botke -
Category
Engineering
-
view
60 -
download
0
Transcript of Cloud computing
22
Agenda
Introduction
Cloud Computing Models
Cloud Computing Architecture
Cloud Computing Characteristics
Purpose and Benefits
Cloud-Sourcing
Risk In Cloud Computing
Data Security In Cloud Computing
Vulnerabilities In Cloud Computing
Hardening Cloud Security
Conclusion
33
Introduction
Cloud computing is typically defined as a type of computing thatrelies on sharing computing resources rather than having localservers or personal devices to handle applications.
In cloud computing, the word cloud (also phrased as "the cloud")is used as a metaphor for "the Internet," so the phrase cloudcomputing means "a type of Internet-based computing," wheredifferent services — such as servers, storage and applications —are delivered to an organization's computers and devices throughthe Internet.
44
Cloud Computing Models
1. Software as a Service (Saas)
The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure. The applications are
accessible from various client devices through a thin client interface
such as a web
Characteristics of SaaS:
Its easy to work under administration
It can be globally access
The software can be updated automatically
All license holder user will have same version of software
55
Cloud Computing of Models
2. Platform as a Service (PaaS)
The capability provided to the consumer is to deploy onto the cloud
infrastructure his own applications without installing any platform or
tools on their local machines. PaaS refers to providing platform layer
resources, including operating system support and software
development frameworks that can be used to build higher-level
services.
Characteristics of PaaS:
No need of downloading and installing operating System.
It saves Customers money.
It mainly deals for delivering operating systems over Internet.
Software can be developed, tested and deployed
66
Cloud Computing Models
3. Infrastructure as a Service (IaaS).
The capability provided the sharing of hardware resources for executing
services, typically using Virtualization technology. Infrastructure as a
Service is an equipment which is used to support hardware, software,
storage, servers and mainly used for delivering software application
environments
Characteristics of IaaS:
Policy based Services
Utility computing Services
Dynamic Scaling
Internet Connectivity
88
Cloud Computing Characteristics
Common Characteristics:
Massive Scale
Homogeneity
Virtualization
Low Cost Software
Resilient Computing
Geographic Distribution
Service Orientation
Advanced Security
9
Data: Bibliographic, Digital, Administrative, License, Access and
Preservation.
Content: Collections, Subscriptions, Print, Publishing.
Services: Library as Place, Content Access, Content Creation,
Instruction, Research, Preservation.
Experience: Research, Study Support, Peer based Collaboration, IT
Exploration
9
Use of Cloud Computing in Library
1010
Purpose and Benefits
Cloud computing enables companies and applications, which are system
infrastructure dependent, to be infrastructure-less.
By using the Cloud infrastructure on “Pay per use and On Demand”, which all
of us can save in capital and operational investment!
• Pay per use - Computing resources are measured at a granular level, allowing
users to pay only for the resources and workloads they use.
• On Demand - End users can spin up computing resources for almost any type
of workload on-demand
Clients can:
• Put their data on the platform instead of on their own desktop PCs and/or
on their own servers.
• They can put their applications on the cloud and use the servers within the
cloud to do processing and data manipulations etc.
1111
Cloud-Sourcing
Why is it becoming a Big Deal:
• Using high-scale/low-cost providers,
• Any time/place access via web browser,
• Rapid scalability; incremental cost and load sharing,
• Can forget need to focus on local IT.
Concerns:
• Performance, reliability, and SLAs,
• Control of data, and service parameters,
• Application features and choices,
• Interaction between Cloud providers,
• No standard API – mix of SOAP and REST!
• Privacy, security, compliance, trust…
1313
Data Security In Cloud Computing
Data outsourcing - Users are relieved from the burden of data storage
and maintenance. When users put their data (of large size) on the cloud,
the data integrity protection is challenging.
Cloud computing is built on top of virtualization, if there are security issues
with virtualization, then there will also security issues with cloud computing.
Data segregation - Data in the cloud is typically in a shared environment
alongside data from other customers. Encryption is effective but isn't a
cure-all. The cloud provider should provide evidence that encryption
schemes were designed and tested by experienced specialists.
A data center full of servers supporting cloud computing is internally and
externally indistinguishable from a data center full of "regular" servers. In
each case, it will be important for the data center to be physically secure
against unauthorized access
1414
Data Security In Cloud Computing
Computer and network security is fundamentally about three
goals/objectives:
-- Confidentiality (C)
-- Integrity (I)
-- Availability (A)
Confidentiality – Its refers to keeping data private. Privacy is the amount
importance as data leaves the borders of the organization. Not only
internal secrets and sensitive personal data, but metadata and
transactional data can also leak important details about firms or
individuals. Confidentiality is supported by, technical tools such as
encryption and access control, as well as legal protections.
1515
Data Security In Cloud Computing
Integrity is a degree confidence that the data in the cloud is protected
against accidental or intentional alteration without authorization. It also
extends to the hurdles of synchronizing multiple databases. Integrity is
supported by well audited code, well-designed distributed systems, and
robust access control mechanisms.
Availability means being able to use the system as anticipated. Cloud
technologies can increase availability through widespread internet-enabled
access, but the client is dependent on the timely and robust provision of
resources. Availability is supported by capacity building and good
architecture by the provider, as well as well-defined contracts and terms of
agreement.
1616
Vulnerabilities In Cloud Computing
Insecure interfaces and APIs
Unlimited allocation of resources
Data-related vulnerabilities
Vulnerabilities in Virtual Machines
Vulnerabilities in Virtual Machine Images
Vulnerabilities in Virtual Networks
Vulnerabilities in Hypervisors
Local Host Security
1717
Vulnerabilities In Cloud Computing
Insecure interfaces and APIs
Cloud providers offer services that can be accessed through APIs (SOAP,
REST, or HTTP with XML/JSON) The security of the cloud depends upon
the security of these interfaces. Some problems are:
a) Weak credential
b) Insufficient authorization checks
c) Insufficient input-data validation
Also, cloud APIs are still immature which means that are frequently
updated. A fixed bug can introduce another security hole in the application.
1818
Vulnerabilities In Cloud Computing
Unlimited allocation of resources
Inaccurate modeling of resource usage can lead to overbooking or over-
provisioning.
Due to the heterogeneous and time-variant environment in a Cloud, the
resource provisioning becomes a complex task, forcing the mediation
system to respond with minimal turnaround time in order to maintain the
developer’s quality requirements.
1919
Vulnerabilities In Cloud Computing
Data-related vulnerabilities
Data can be collocated with the data of unknown owners (competitors, or
intruders) with a weak separation.
Data may be located in different jurisdictions which have different laws.
Incomplete data deletion – data cannot be completely removed.
Data backup done by untrusted third-party providers.
Information about the location of the data usually is unavailable or not
disclosed to users.
Data is often stored, processed, and transferred in clear plain text.
2020
Vulnerabilities In Cloud Computing
Vulnerabilities in Virtual Machines
Possible covert channels in the collocation of VMs.
Unrestricted allocation and deallocation of resources with VMs.
Uncontrolled Migration - VMs can be migrated from one server to another
server due to fault tolerance, load balance, or hardware maintenance.
Uncontrolled snapshots – VMs can be copied in order to provide flexibility,
which may lead to data leakage.
Uncontrolled rollback could lead to reset vulnerabilities - VMs can be
backed up to a previous state for restoration, but patches applied after the
previous state disappear.
VMs have IP addresses that are visible to anyone within the cloud -
attackers can map where the target VM is located within the cloud (Cloud
cartography).
2121
Vulnerabilities In Cloud Computing
Vulnerabilities in Virtual Machine Images
Uncontrolled placement of VM images in public repositories.
VM images are not able to be patched since they are dormant artifacts.
Vulnerabilities in Virtual Networks
The cloud characteristic ubiquitous network access means that cloud
services are accessed via network using standard protocols. In most
cases, this network is the Internet, which must be considered untrusted.
Internet protocol vulnerabilities - such as vulnerabilities that allow man-in-
the-middle attacks - are therefore relevant for cloud computing.
Sharing of virtual bridges by several virtual machines.
2222
Vulnerabilities In Cloud Computing
Vulnerabilities in Hypervisors
Complex hypervisor code.
Flexible configuration of VMs or hypervisors to meet organization needs can be
exploited.
Any remote user can initiate an attack on a Hypervisor and its guest VMs if it is
located in a subnet from which the machine running the Hypervisor is reachable.
Almost any code can be executed from a guest VM’s Ring 3; however, some
functionality will be limited by the OS or the Hypervisor (causing an exception).
Nevertheless, it is easiest to get user-space code to run, so any exploits from this
ring are attractive to an attacker.
An attack from a Guest VM’s Kernel-Space, as it requires control over the
paravirtualized front-end driver.
The Hypervisor can access any resource in the host system (i.e. memory,
peripherals, CPU state, etc.), which means that it can access every guest VM’s
resources.
2323
Vulnerabilities In Cloud Computing
Local Host Security
Are local host machines part of the cloud infrastructure? • Outside the security perimeter.• While cloud consumers worry about the security on the cloud provider’s
site, they may easily forget to harden their own machines
The lack of security of local devices can • Provide a way for malicious services on the cloud to attack local
networks through these terminal devices.• Compromise the cloud and its resources for other users.
2424
Vulnerabilities In Cloud Computing
With mobile devices, the threat may be even stronger• Users misplace or have the device stolen from them.• Security mechanisms on handheld gadgets are often times insufficient
compared to say, a desktop computer.• Provides a potential attacker an easy avenue into a cloud system.• If a user relies mainly on a mobile device to access cloud data, the
threat to availability is also increased as mobile devices malfunction orare lost .
Devices that access the cloud should have• Strong authentication mechanisms• Tamper-resistant mechanisms• Strong isolation between applications• Methods to trust the OS• Cryptographic functionality when traffic confidentiality is required.
2525
Hardening Cloud Security
Secure Logic Migration and Execution Technology
Data Traceability Technology
Authentication and Identity
Application of Encryption for Data in Motion:
Data Masking Technology
2626
Hardening Cloud Security
Secure Logic Migration and Execution TechnologyFor confidential data that cannot be released outside of thecompany, even formed by concealing certain aspects of the data,by simply defining the security level of data.
Data Traceability TechnologyThe information gateway tracks all information flowing into andout of the cloud, so these flows and their content can be checked.
Data traceability technology uses the logs obtained on data trafficas well as the characteristics of the related text to make visiblethe data used in the cloud
2727
Hardening Cloud Security
Authentication and Identity
Maintaining confidentiality, integrity, and availability for data security
is a function of the correct application and configuration of familiar
network, system, and application security mechanisms at various
levels in the cloud infrastructure.
Authentication of users takes several forms, but all are based on a combination of authentication factors: something an individual knows (such as a password), something they possess (such as a security token), or some measurable quality that is intrinsic to them (such as a fingerprint).
2828
Hardening Cloud Security
Application of Encryption for Data in Motion:
Encryption is used to assure that if there was a breach of
communication integrity between the two parties that the data
remains confidential.
Authentication is used to assure that the parties communicating data
are who they say they are.
Common means of authentication themselves employ cryptography
in various ways.
2929
Hardening Cloud Security
Data Masking Technology
Data masking is a technique that is intended to remove all
identifiable and distinguishing characteristics from data in order to
render it anonymous and yet still be operable.
This technique is aimed at reducing the risk of exposing sensitive
information.
Data masking has also been known by such names as data
obfuscation, de-identification, or depersonalization.
3030
Conclusion
Cloud computing is sometimes viewed as a re-creation of theclassic mainframe client-server model.
However, resources are ubiquitous, scalable, highly virtualized.
Contains all the traditional threats, as well as new ones.
In developing solutions to cloud computing security issues it maybe helpful to identify the problems and approaches in terms of CIA(Confidentially, Integrity and Availability ).