Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Abstract Blog News Gmail Amazon Google Map Cloud Computing Plurk Facebook Twitter

Vulnerability: An Overview ISO defines risk as “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization” EX:DB Server SQL injection EX:Sony PSN

Vulnerability: An Overview Defining Vulnerability According to the Open Group’s risk taxonomy, Vulnerability is the probability that an asset will be unable to resist the actions of a threat agent. EX: Intranet V.S. Extranet

Cloud Computing Core Cloud Computing Technologies

Cloud Computing Essential Characteristics of Cloud Computing (NIST) description On-demand self-service. Ubiquitous network access. Resource pooling. Rapid elasticity. Measured service.

Cloud-Specific Vulnerabilities Core-Technology Vulnerabilities virtual machine escape EX:VM attack session riding and hijacking EX: Cross-site Request Forgery insecure or obsolete cryptography. EX:Password attack

Cloud-Specific Vulnerabilities Essential Cloud Characteristic Vulnerabilities Unauthorized access to management interface. EX: Azure management Internet protocol vulnerabilities. EX: Scan Host Protocol Data recovery vulnerability. EX: Natural disasters Metering and billing evasion. EX: Pay Money

Cloud-Specific Vulnerabilities Defects in Known Security Controls - IaaS virtualized networks offer insufficient network-based controls. EX: vulnerability scanning is invalid poor key management procedures. EX: many different kinds of keys security metrics aren’t adapted to cloud infrastructures. EX: cloud customers can’t monitor resources

Architectural Components and Vulnerabilities

Cloud Software Infrastructure and Environment - PaaS a development and runtime environment EX: more supported languages; storage services EX: database interface communication infrastructure EX: Azure AppFabric Service Bus

Architectural Components and Vulnerabilities Computational Resources concerns how virtual machine images are handled EX: VM is not a Free Resources EX: image can be taken from an untrustworthy source

Architectural Components and Vulnerabilities Storage obsolete cryptography and poor key management EX: physical disk destruction can’t be carried out

Architectural Components and Vulnerabilities Communication vulnerabilities of shared network infrastructure components

Architectural Components and Vulnerabilities Cloud Web Applications an application component operated somewhere in the cloud. a browser component running within the user’s browser. EX: session riding and hijacking vulnerabilities and injection vulnerabilities.

Architectural Components and Vulnerabilities Services and APIs application URL would only give the user a browser component

Architectural Components and Vulnerabilities Management Access management access is often realized using a Web application or service

Architectural Components and Vulnerabilities Identity, Authentication, Authorization, and Auditing Mechanisms Denial of service by account lockout. EX: Lock Account Weak credential-reset mechanisms. EX: not using federated authentication Insufficient or faulty authorization checks. EX: root cause of URL-guessing attacks Coarse authorization control. EX: duty separation Insufficient logging and monitoring possibilities. EX: no standards to logging and monitoring

Architectural Components and Vulnerabilities Provider users’ inability to control cloud infrastructure

Conclusion Cloud computing is in constant development

Any Question?