Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic Terms and Concepts – 1/3

Published byFrank Norton Modified over 6 years ago

Similar presentations

Presentation on theme: "Basic Terms and Concepts – 1/3"— Presentation transcript:

0 Fundamental Cloud Security
Cloud Computing Lecture Note 4 Fundamental Cloud Security 오상규 정보통신대학원

1 Basic Terms and Concepts – 1/3
Overview Information security is a complex ensemble of techniques, technologies, regulations and behaviors that collaboratively protect the integrity of and access to computer systems and data. IT security measures aim to defend against threats and interference that arise from both malicious intent and unintentional user error. Confidentiality The characteristics of something being made accessible only to authorized parties Primarily restricting access to data in transit and storage in cloud environments Message Transfer Cloud Service Consumer Cloud Data Stored Integrity The characteristics of not having been altered by an unauthorized party Data cloud customers stored = data cloud customers retrieved Data Retrieved Cloud Service Consumer Cloud

2 Basic Terms and Concepts – 2/3
Authenticity The characteristics of something having been provided by an authorized source Non-repudiation – the inability of a party to deny or challenge the authentication of an interaction Availability The characteristics of being accessible and usable during a specified time period The responsibility of both cloud provider and cloud carrier Threat A potential security violation that can challenge defenses in an attempt to breach privacy and/or cause harm All instigated threats (attacks) are designed to exploit known weaknesses or vulnerabilities. Vulnerability A weakness that can be exploited either because it is protected by insufficient security controls, or because existing security controls are overcome by an attack Caused by configuration deficiencies, security policy weaknesses, human errors, hardware or firmware flaws, software bugs, poor security architectures, etc. Risk The possibility of loss or harm arising from performing an activity Typically measured according to its threats level and the number of possible or known vulnerabilities Two metrics used to determine risk for an IT resource: The probability of a threat occurring to exploit vulnerabilities in the IT resource The expectation of loss upon the IT resource being compromised

3 Basic Terms and Concepts – 3/3
Security controls Countermeasures used to prevent or respond to security threats and to reduce or avoid risk Typically outlined in the security policy containing a set of rules and practices that specify how to implement a system, service or security plan for maximum protection of sensitive and critical IT resources Security mechanisms Criteria describing security countermeasures comprising a defensive framework that protects IT resources, information and services Security policies A set of security rules and regulations Defines how these rules and regulations are implemented and enforced Good policy bad practice…?

4 (Security Mechanisms) Wants to Abuse or Cause Loss to
Threat Agents – 1/2 Definition An entity that poses a threat because it is capable of carrying out an attack Internal or external threats by humans or software programs Cloud Service Owner Wants to Protect Wants to Reduce Establishes Countermeasures (Security Mechanisms) Reduce Regulate vulnerabilities Exploit Security Policy Threats Lead to Risks Poses Increase Data to to Wants to Abuse or Cause Loss to Assets (IT Resources & Data) Threat Agent

5 Threat Agents – 2/2 Anonymous attacker
A non-trusted cloud service consumer without permissions Typically external software programs that launch network-level attacks through public networks Formulating effective attacks requires information on security policies and defenses – bypass user accounts or steal user credentials to attack Malicious service agent A piece of active software intercepting and forwarding the network traffics that flow within a cloud pretending as a legitimate service agent with malicious logic Possible external programs remotely intercept and potentially corrupt network messages Trusted attacker (malicious tenants) A trusted cloud service consumer with permissions Usually launches its attacks from within a cloud’ trust boundaries by abusing legitimate credentials or via the appropriation of sensitive and confidential information The hacking of weak authentication processes, the breaking of encryption, the spamming of accounts, the denial of service campaigns, etc. Malicious insider Human threat agents acting on behalf of or in relation to the cloud provider Typically current or former employees or third parties with access to the could provider’s premises Expose tremendous potential damages since they may have administrative privileges for accessing cloud consumer IT resources

6 Cloud Security Threats – 1/3
Traffic eavesdropping Data being passively intercepted by a malicious service agent for illegitimate information gathering purpose while being transferred to or within a cloud Aim to discredit the confidentiality of data and the relationship between the cloud consumer and cloud provider Due to the passive nature of the attack, hard to detect for a long period of time Cloud Service Consumer Cloud Malicious intermediary Messages intercepted and altered by a malicious service agent discrediting the message’s confidentiality and/or integrity Possible malicious contents insertion before forwarding it to its destination Intercepted Message Copy Cloud Service Consumer Cloud Intercept & Alter Message

7 Cloud Security Threats – 2/3
Denial of service (DoS) Intentional sabotage on shard physical IT resource by overloading it so that the IT resource can hardly be allocated to other consumers sharing the same IT resource Typically intentional overloading shared IT resource by generating excessive messages, consuming full network bandwidth, or sending multiple requests that consume excessive CPU time and memory Cloud Service Consumer A Cloud Service Consumer B (Attacker) Physical Server B Load Virtual Server A Virtual Server B A Load Physical Server Insufficient authorization A case when access is granted to an attacker erroneously or too broadly, resulting in the attacker getting access to IT resources that are normally protected Another case (Weak Authentication) when weak passwords or shared accounts are used to protect IT resources Legitimate Consumer Malicious Attacker Protected IT Resource

8 Cloud Security Threats – 3/3
Virtualization attack (Overlapping Trust Boundaries) Physical resources shared by multiple virtual users in virtualized environment by the nature of resource virtualization Possible inherent risk that some cloud consumers could abuse their access right to attack the underlying physical IT resources Cloud Service Consumer A Cloud Service Consumer B Virtual Server A Virtual Server B Shared Physical IT Resource

9 Additional Considerations – 1/3
Flawed implementations Faulty design, implementation or configuration of cloud service deployments can have undesirable consequences. Attackers can exploit those vulnerabilities to impair the integrity, confidentiality and/or availability of cloud provider’s IT resource if the cloud provider’s software and/or hardware have inherent security flaws or operation weakness. Security policy disparity Cloud consumers need to accept the given cloud provider’s security approach which may not be identical or even similar to traditional information security approach when they sign for public cloud service. Even when leasing raw infrastructure-based IT resources, the cloud consumer may not be granted sufficient administrative control or influence over security policies that apply to the IT resources leased from the cloud provider primarily because those IT resources are legally owned by the cloud provider. With some public clouds, additional third parties – such as security brokers and certificate authorities – may introduce their own distinct set of security policies and practices, further complicating any attempt to standardize the protection of cloud consumer assets. Contracts Cloud consumers need to carefully examine contracts and SLA provided by the cloud provider to ensure that security policies and other relevant guarantees are satisfactory when it comes to asset security. The amount of reliability assumed by the cloud provider and/or the level of indemnity that the cloud provider may ask for must be specified in a clear language.

10 Additional Considerations – 2/3
Sometimes it is hard to determine who is responsible when a security breach (or other type of runtime failure as well) occurs if the cloud consumer’s solution is running on top of IT resources provided by the cloud provider, especially when the security policies of both parties are different from each other. (shop around for right cloud providers with compatible contractual terms and security policies) Risk management Before adopting cloud platform, potential cloud consumers are encouraged to perform a formal risk assessment as part of a risk management strategy. Risk management is comprised of a set of coordinated activities for overseeing and controlling risks – risk assessment, risk treatment and risk control: Risk assessment The given cloud environment is analyzed to identify potential vulnerabilities and shortcomings that threats can exploit in the risk assessment stage. The cloud consumers can ask the potential cloud provider for statistics and other information about past attacks (both successful and unsuccessful) carried out in its cloud. The identified risks are quantified and qualified according to the probability of occurrence and the degree of impact in relation to how the cloud consumer plans utilize cloud based IT resources. Risk treatment Mitigation policies and plans are designed during the risk treatment stage with the intent of successfully treating the risks that were discovered during risk assessment. Some risks can be eliminated, some can be mitigated while others can be dealt with via outsourcing or even incorporated into the insurance and/or operating loss budgets. The cloud provider itself may agree to assume responsibility as part of its contractual obligations.

11 Additional Considerations – 3/3
Risk control Risk control stage is related to risk monitoring – a three step process that is comprised of surveying related events, reviewing these events to determine the effectiveness of previous assessments and treatments, and identifying any policy adjustment needs. Depending on the nature of monitoring required, this stage may be carried out or shared by the cloud provider. More covered on Cloud Security Mechanisms in Lecture Note 8. Risk Assessment Threats Risk Identification Risk Evaluation Risk Control Risk Treatment Risk Review Risk Mitigation Policy Risk Monitoring Risk Mitigation Actions

12 Cloud Computing End of Lecture Note 오상규 정보통신대학원

Download ppt "Basic Terms and Concepts – 1/3"

Similar presentations

Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Operating System Security

Operating System Security
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security Controls – What Works

Security Controls – What Works
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google