Download presentation
Presentation is loading. Please wait.
Published byBrendan Harrington Modified over 8 years ago
2
Cloud Security By Mahendran R Zylog Systems Ltd 04 Aug 12
3
What is Cloud Computing * National Institute of Standards and Technology v15 Providing IT resources as a Service
4
Defining the Cloud On demand usage of compute and storage 5 principal characteristics (abstraction, sharing, SOA, elasticity, consumption/allocation) 3 delivery models Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) 4 deployment models: Public, Private, Hybrid, Community
5
S-P-I Model IaaS Infrastructure as a Service You build security in You “RFP” security in PaaS Platform as a Service SaaS Software as a Service
6
SaaS - Software as a Service What is SaaS The sole requirement for SaaS is a computer with a browser, quite basic. SaaS is a recurring subscription based model delivered to the customer on demand – Pay as you use.
7
SaaS - Software as a Service Figure shows SaaS Component Stack and Scope of Control as defined by NIST
8
PaaS - Platform as a Service What is PaaS The PaaS provider will deliver the platform on the web, and in most cases you can consume the platform using your browser. There is no need to download any software This middle layer of cloud is consumed mainly by developers or tech savvy individuals.
9
PaaS - Platform as a Service A PaaS typically includes the development environment, programming languages, compilers, testing tools and deployment mechanism. In some cases, like Google Apps Engine (GAE), the developers may download development environment and use them locally in the developer’s infrastructure, or the developer may access tools in the provider’s infrastructure through a browser. Figure shows PaaS Component Stack and Scope of Control as defined by NIST
10
IaaS - Infrastructure as a Service What is IaaS The System Administrators are the subscriber of this service. Usage fees are calculated per CPU hour, data GB stored per hour, network bandwidth consumed, network infrastructure used per hour, value added services used, e.g., monitoring, auto-scaling etc.
11
IaaS - Infrastructure as a Service Figure shows IaaS Component Stack and Scope of Control as defined by NIST
12
In Simple..........
13
Service Models Host Build Consume
14
Deployment Models “Virtualization is a modernization catalyst and unlocks cloud computing.” ―Gartner Private Cloud Public Cloud Hybrid Cloud
15
About the Global, not-for-profit organization Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on… We believe Cloud Computing has a robust future, we want to make it better “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
16
Top Threats to Cloud Computing Threat #1: Abuse and Nefarious Use of Cloud Computing Threat #2: Insecure Interfaces and APIs Threat #3: Malicious Insiders Threat #4: Shared Technology Issues Threat #5: Data Loss or Leakage Threat #6: Account or Service Hijacking Threat #7: Unknown Risk Profile
17
Top Threats to Cloud Computing Threat #1: Abuse and Nefarious Use of Cloud Computing ( IaaS,PaaS) The easiness of registering for IaaS solutions and the relative anonymity they offer attracts many a cyber criminal. IaaS offerings have been known to host botnets and/or their command and control centers, downloads for exploits, Trojans, etc. There is a myriad of ways in which in-the-cloud capabilities can be misused - possible future uses include launching dynamic attack points, CAPTCHA solving farms, password and key cracking and more. To remediate this, IaaS providers should toughen up the weakest links: the registration process and the monitoring of customer network traffic. 6/14/2016 16
18
Top Threats to Cloud Computing Threat #2: Insecure Interfaces and APIs(IaaS,PaaS,SaaS) Cloud Computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Furthermore, organizations and third parties often build upon these interfaces to offer value-added services to their customers. This introduces the complexity of the new layered API; it also increases risk, as organizations may be required to relinquish their credentials to third parties in order to enable their agency 6/14/2016 17
19
Top Threats to Cloud Computing Threat #3: Malicious Insiders(IaaS,PaaS,SaaS) The threat of a malicious insider is well-known to most organizations. This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance.To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees. This kind of situation clearly creates an attractive opportunity for an adversary — ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. 6/14/2016 18
20
Top Threats to Cloud Computing Threat #4: Shared Technology Issues(IaaS) IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. To address this gap, a virtualization hypervisor mediates access between guest operating systems and the physical compute resources. Still, even hypervisors have exhibited flaws that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform. A defence in depth strategy is recommended, and should include compute, storage, and network security enforcement and monitoring. Strong compartmentalization should be employed to ensure that individual customers do not impact the operations of other tenants running on the same cloud provider. Customers should not have access to any other tenant’s actual or residual data, network traffic, etc. 6/14/2016 19
21
Top Threats to Cloud Computing Threat #5: Data Loss or Leakage(IaaS,PaaS,SaaS) There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media. Loss of an encoding key may result in effective destruction. Finally, unauthorized parties must be prevented from gaining access to sensitive data.The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architecturalor operational characteristics of the cloud environment 6/14/2016 20
22
Top Threats to Cloud Computing Threat #6: Account or Service Hijacking(IaaS,PaaS,SaaS) Account or service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which mplifies the impact of such attacks. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Your account or service instances may become a new base for the attacker. From here, they may leverage the power of your reputation to launch subsequent attacks. 6/14/2016 21
23
Top Threats to Cloud Computing Threat #7: Unknown Risk Profile(IaaS,PaaS,SaaS) One of the tenets of Cloud Computing is the reduction of hardware and software ownership and maintenance to allow companies to focus on their core business strengths. This has clear financial and operational benefits, which must be weighed carefully against the contradictory security concerns — complicated by the fact that cloud deployments are driven by anticipated benefits, by groups who may lose track of the security ramifications. Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design, are all important factors for estimating your company’s security posture. Information about who is sharing your infrastructure may be pertinent, in addition to network intrusion logs, redirection attempts and/or successes, and other logs.Security by obscurity may be low effort, but it can result in unknown exposures. It may also impair the in-depth analysis required highly controlled or regulated operational areas 6/14/2016 22
24
Thank You Any Queries feel free to mail me: Mahendran.me@gmail.com
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.