Cloud Computing & Security Issues Prepared by: Hamoud Al-Shammari CS 6910 Summer, 2011 University of Colorado at Colorado Springs Engineering & Applied.

Slides:

Advertisements

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Advertisements

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Chapter 17: WEB COMPONENTS

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography and Network Security

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Security Issues and Challenges in Cloud Computing

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 5 03/08/2010 Security and Privacy in Cloud Computing.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Applied Cryptography for Network Security

Chapter 8 Web Security.

INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 4.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.

Software Engineering for Cloud Computing Rao, Feng 04/27/2011.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Cloud Computing Cloud Computing Class-1. Introduction to Cloud Computing In cloud computing, the word cloud (also phrased as "the cloud") is used as a.

Sinaia, Romania August, TH Workshop “Software Engineering Education and Reverse Engineering” Dhuratë Hyseni, Betim Çiço South East European University.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Cloud Computing Saneel Bidaye uni-slb2181. What is Cloud Computing? Cloud Computing refers to both the applications delivered as services over the Internet.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Cloud Computing. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable.

M.A.Doman Short video intro Model for enabling the delivery of computing as a SERVICE.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Web Security : Secure Socket Layer Secure Electronic Transaction.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

出處 :2010 2nd International Conference on Signal Processing Systems (ICSPS) 作者 :Zhidong Shen 、 Qiang Tong 演講者 : 碩研資管一甲吳俊逸.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Forward: Preventing XML Signature Wrapping Attacks in Cloud Computing Prepared by: Abdulaziz AlShammari Professor Ramasamy Uthurusamy April10, 2014.

1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

© 2012 Eucalyptus Systems, Inc. Cloud Computing Introduction Eucalyptus Education Services 2.

Unit 3 Virtualization.

Understanding The Cloud

Prepared by: Assistant prof. Aslamzai

Introduction to Cloud Computing

Goals Introduce the Windows Server 2003 family of operating systems

Cloud Computing: Concepts

Presentation transcript:

Cloud Computing & Security Issues Prepared by: Hamoud Al-Shammari CS 6910 Summer, 2011 University of Colorado at Colorado Springs Engineering & Applied Science

2 First Part What is Cloud Computing. Layers of Cloud Computing. Technical Security Issues in Cloud Computing. Second Part What are the problems? Opportunities for Advancement. The Idea of PVI. 7/25/2011 Alshammari/Cloud Security

3 It is a new paradigm for the provision of computing infrastructure, which shifts the location of this infrastructure to the network to reduce the costs of hardware and software resources. What is Cloud Computing? 7/25/2011 Alshammari/Cloud Security

4 1- Software as a Service. 2- Platform as a Service. 3- Infrastructure as a Service. Models of Cloud Computing 7/25/2011 Alshammari/Cloud Security

5 1- Software as a Service: Provides users to use the applications online. Ex: Mail, Writer, Projects … etc. Models of Cloud Computing 7/25/2011 Alshammari/Cloud Security

6 2- Platform as a Service: To control the hosting environments to specific needs. Ex: Google App Engine to deploy and dynamically scale Python and Java based web applications. Models of Cloud Computing 7/25/2011 Alshammari/Cloud Security

3- Infrastructure as a Service (IaaS): Provides basic infrastructure components such as CPU, memory and storage. Ex: Amazon’s Elastic Compute Cloud (EC2). Alshammari/Cloud Security 7 7/25/2011 Models of Cloud Computing

8 7/25/2011 Alshammari/Cloud Security

9 1- Web-Services: Provide access to (IaaS) 2- Web-Browsers: Provide access to (SaaS) * Both provide the access to (PaaS) Two main technologies are used to access these three Cloud services 7/25/2011 Alshammari/Cloud Security

10 To reduce the costs: (Pay – As – You – Go) 1- To reduce hardware costs (IaaS). 2- To reduce software license costs (SaaS), (PaaS). To support the Scalable Systems: To NOT worry about increasing of users and requests. Why we use Cloud Computing? 7/25/2011 Alshammari/Cloud Security

11 Cloud Security issues focus on: 1- Confidentiality. 2- Integrity. 3- Authentication. Two places that must be secure in Cloud which are: 1- Web-Services (WS). 2- Web-Browser (WB). Some Technical Security Issues in Cloud Computing 7/25/2011 Alshammari/Cloud Security

12  WS-Security: is the security mechanism for web service working in message level.  How to provide Confidentiality, Integrity, and Authentication for messages? 1- By using XML signature: For XML fragments to be digitally signed to ensure integrity and authentication. 2- By using XML Encryption: For XML fragments to be encrypted to ensure data confidentiality. 1- Web-Service Security 7/25/2011 Alshammari/Cloud Security

13  The client PC is used for I/O only, and for Authentication and Authorization of commands to the cloud. A client just send a request and wait for the result.  Modern Web-Browser are using AJAX techniques (Asynchronous Java Scripts and XML) to develop platform independent I/O tools.  New names for that techniques (Web Applications, Web 2.0, or SaaS). 2- Web-Browser Security 7/25/2011 Alshammari/Cloud Security

14 1- Record Layer: Encrypts/Decrypts TCP data stream. 2- TLS Handshake: Used to authenticate the server and the client.  SSL became the most important cryptographic protocol worldwide, because it is implemented in every web browser. 3- Transport Layer Security (TLS) OR Secure Sockets Layer (SSL) 7/25/2011 Alshammari/Cloud Security

15  Attacker adds his own system to the Cloud system.  To Solve the PROBLEM:  Store a hash value in the cloud and compare any new service or request with the hash value.  WHAT if the attacker can create a valid hash value !!! 4- Cloud Malware Injection Attack 7/25/2011 Alshammari/Cloud Security

16  Attacker sends a huge amount of nonsense requests to a certain service which make the problem by having the data traffic of different time zones operated by the same server.  That cause, the servers will NOT serve the other requests from another users.  To Sole The PROBLEM:  Cloud Computing enables a dynamic adaption of hardware requirements to the actual workload occurring by using Virtual Machines (VM). 5- Flooding Attacks 7/25/2011 Alshammari/Cloud Security

17 Second Part “What are the problems?” 7/25/2011 Alshammari/Cloud Security

18  XML Signature Element Wrapping:  SOAP messages are generally transmitted through HTTP protocol with an XML format.  Attacker is able to manipulate a SOAP messages by copying the target element and inserting another value and moving the original element to somewhere on the SOAP message. What is the problem with Web-Services?  To Solve The Problem:  Using a combination of WS-Security with XML signature to sign particular element and digital certificated such as X.509.  Create a list of elements that is used in the system, and reject any other messages. 7/25/2011 Alshammari/Cloud Security

19  The web-Browsers are not able to apply WS-Security concepts (XML signature and XML encryption). BECAUSE: 1- Data can only be encrypted through (TLS) which is Transport Layer Security. 2- XML signatures are only used within the (TLS) handshake. What is the problem with Web-Browser? 7/25/2011 Alshammari/Cloud Security

20  The TSL/SSL technique is point-to-point.  Messages will be Encrypted and Decrypted many times in the process.  possibility of breaking the security between the browser and the clouds, and followed by proposal to enhance the current browsers security.  Then, attacker can get the DECRYPTED message and change it ! What is the problem with TSL/SSL? 7/25/2011 Alshammari/Cloud Security

21 1- For the problems in Web-Browsers / SSL  The vendors could create web browsers that apply WS-Security concepts within their web browsers.  The WS-Security works in message level, so it appears to be more suitable than SSL/TLS.  Then, these web browsers are able to use XML Encryption in order to provide end-to-end encryption in SOAP messages. Opportunities for Advancement 7/25/2011 Alshammari/Cloud Security

22 2- Private Virtual Infrastructure (PVI)  Usually, cloud computing place an organization’s data in the control of a third party.  PVI model is designed to separate the duties between the users and the providers: 1- The PVI datacenter is under control of the information owner. 2- The cloud fabric is under control of the service provider. Opportunities for Advancement 7/25/2011 Alshammari/Cloud Security

23 Private Virtual Infrastructure (PVI)  Client CANNOT manipulate the security settings of the fabric.  Client CAN remove, destroy, or lock down their data at any time.  The Service Level Agreement (SLA) between the user and the provider determines the responsibilities of all parties.  In this model Client needs to: 1- Vision into the security settings and configuration of the fabric. 2- Communicate to VPI through virtual private network and all links should be encrypted with tunnels like SSL. Opportunities for Advancement 7/25/2011 Alshammari/Cloud Security

24 Private Virtual Infrastructure (PVI)  Trusted Computing:  Providers are required to use trusted computing technologies, so organizations can verify their security posture in the cloud and control their information.  The key component here is Trusted Platform Model (TPM) which is a cryptographic component that stores cryptographic keys.  Cryptographic keys can be used to attest the operating state of the platform.  Platform Configuration Registers (PCRs) are places where cryptographic keys are stored in. So, the clients can request the PCRs to verify that the platform they are using meet their policy and configuration requirements.  PROBLEM with TPM: it only works for non-virtualized environment. Opportunities for Advancement 7/25/2011 Alshammari/Cloud Security

25 Private Virtual Infrastructure (PVI)  Trusted Computing:  PROBLEM with TPM: it only works for non-virtualized environment.  Virtual TPM (VTPM): is implemented by providing software instances of TPMs for each virtual machine.  The developers here developed an architecture that secures each VM by coupling a VTPM in its own sub domain called Locator Bot (LoBot).  LoBot allows each VM to be verifiable by its owner and provide secure provisioning and migration of the VM within the cloud as well. Opportunities for Advancement 7/25/2011 Alshammari/Cloud Security

26 Private Virtual Infrastructure (PVI)  Five Tenets of Cloud Computing: 1- Trusted Cloud Platform: the provider needs to provide security services which protect and monitor the fabric. 2- PVI Factory: - The most sensitive component of PVI. - It is the root authority for: - Provisioning. - VTPM key generation. - Certificate generation & management. - Should be under full control of the information owner. - It serves as the controller and policy decision point for the PVI. Opportunities for Advancement 7/25/2011 Alshammari/Cloud Security

27 Private Virtual Infrastructure (PVI) 3- Measurement and Secure Provisioning: - Providers must allow clients transparent insight into their infrastructures. - LoBot can perform the fabric pre-measurement which allows PVI to share the responsibility of security management. - LoBot is a VM architecture and secure transfer protocol based on VTPM. 4- Secure Shutdown and Data Destruction: - This process is required to ensure all sensitive data is removed before new processes are allowed to run on it. - The PROBLEM: the VM do not provide that, so the authors recommended to enclose that on future VM monitors or through LoBot. Opportunities for Advancement 7/25/2011 Alshammari/Cloud Security

28 Private Virtual Infrastructure (PVI) 5- Monitoring and Auditing: - LoBot can provide continuous monitoring of the cloud environment. - Clients can provide the auditing process, but with that number of users and amount of information the legal using of the information will be decreased. - The authors recommend the sharing of auditing responsibilities between the service providers and clients to provide an increased ability for forensic analysis. - Locator Bot (LoBot) is the authors’ architecture and protocol for secure provisioning and secure migration of virtual machines within an IaaS cloud. LoBot provides many other security features for PVI such as environmental monitoring, tamper detection and secure shutdown. Opportunities for Advancement 7/25/2011 Alshammari/Cloud Security

Thank you July 25, 2011 Cloud Computing & Security Issues