Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Computing Cloud Security– an overview Keke Chen.

Published byMartina Bell Modified over 9 years ago

Similar presentations

Presentation on theme: "Cloud Computing Cloud Security– an overview Keke Chen."— Presentation transcript:

1 Cloud Computing Cloud Security– an overview Keke Chen

2 Outline  Introduction  Infrastructure security  Data security  Identity and access management

3 Introduction  Many security problems in non-cloud environment are still applicable  We focus on cloud-specific problems  Reference book “cloud security and privacy”

4 overview

5 Infrastructure security  Infrastructure IaaS, PaaS, and SaaS  Focus on public clouds No special security problems with private clouds – traditional security problems only  Different levels Network level Host level Application level

6 Network level  confidentiality and integrity of data-in-transit Amazon had security bugs with digital signature on SimpleDB, EC2, and SQS accesses (in 2008)  Less or no system logging /monitoring Only cloud provider has this capability Thus, difficult to trace attacks  Reassigned IP address Expose services unexpectedly spammers using EC2 are difficult to identify  Availability of cloud resources Some factors, such as DNS, controlled by the cloud provider.  Physically separated tiers become logically separated E.g., 3 tier web applications

7 Host level (IaaS)  Hypervisor security “zero-day vulnerability” in VM, if the attacker controls hypervisor  Virtual machine security Ssh private keys (if mode is not appropriately set) VM images (especially private VMs) Vulnerable Services

8 Application level  SaaS application security In an accident, Google Docs access control failed. All users can access all documents

9 Data Security  Data-in-transit  Data-at-rest  Data processing  Data lineage  Data provenance  Data remanence

10  Data-in-transit Confidentiality and integrity The Amazon digital signature problem  Data-at-rest & processing data Possibly encrypted for static storage Cannot be encrypted for most PaaS and SaaS (such as Google Apps) – prevent indexing or searching  Research on indexing/searching encrypted data  Fully homomorphic encryption?

11 Data lineage  Definition: tracking and managing data  For audit or compliance purpose  Data flow or data path visualization  Time-consuming process even for inhouse data center Not possible for a public cloud

12 Data provenance  Origin/ownership of data Verify the authority of data Trace the responsibility e.g., financial and medical data  Difficult to prove data provenance in a cloud computing scenario

13 Data remanence  Data left intact by a nominal delete operation In many DBMSs and file systems, data is deleted by flagging it.  Lead to possible disclosure of sensitive information  Department of Defense: National Industrial security program operating manual Defines data clearing and sanitization

14 Provider’s data and its security  The provider collects a huge amount of security-related data Data possibly related to service users If not managed well, it is a big threat to users’ security

15

16 Identity and Access Management  Traditional trust boundary reinforced by network control VPN, Intrusion detection, intrusion prevention  Loss of network control in cloud computing  Have to rely on higher-level software controls Application security User access controls - IAM

17  IAM components Authentication Authorization Auditing  IAM processes User management Authentication management Authorization management Access management – access control Propagation of identity to resources Monitoring and auditing

18

19 IAM standards and specifications  avoid duplication of identity, attributes, and credentials and provide a single sign-on user experience  SAML(Security Assertion Markup Lang).  automatically provision user accounts with cloud services and automate the process of provisioning and deprovisioning  SPML (service provisioning markup lang).  provision user accounts with appropriate privileges and manage entitlements  XACML (extensible access control markup lang).  authorize cloud service X to access my data in cloud service Y without disclosing credentials  Oauth (open authentication).

20 ACS: Assertion Consumer Service. SSO : single sign-on Google Account Example:

21 SPML example: What happens when an account is created?

22 PEP: policy enforcement point (app interface) PDP: policy decision point XACM Examples: How does your access is verified?

23 OAuth example: Authorize the third party to Access your data/credential

24 IAM standards/protocols  OpenID  Information Cards  Open Authentication (OATH)

25 IAM practice- Identity federation  Dealing with heterogeneous, dynamic, loosely coupled trust relationships  Enabling “Login once, access different systems within the trust boundary” Single sign-on (SSO) Centralized access control services Yahoo! OpenID

26 summary  Infrastructure-level security – example in previous lecture  Data security & privacy – next class Outsourced data: confidentiality, privacy, and integrity  IAM – service level Actually, independent of cloud computing, more general to service computing

Download ppt "Cloud Computing Cloud Security– an overview Keke Chen."

Similar presentations

Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.

Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Dr. Bhavani Thuraisingham June 2013

Dr. Bhavani Thuraisingham June 2013
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
© 2011 IBM Corporation Cloud Security Perspectives Dan Carlsen Certified Security IT Specialist – IBM

© 2011 IBM Corporation Cloud Security Perspectives Dan Carlsen Certified Security IT Specialist – IBM
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Security Controls – What Works

Security Controls – What Works
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Security Issues in Elastic Clouds

Security Issues in Elastic Clouds
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.

FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Cloud Usability Framework

Cloud Usability Framework
M.A.Doman 2011. Model for enabling the delivery of computing as a SERVICE.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.
Understanding Active Directory

Understanding Active Directory
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
© 2004-2014. Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.

© Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.

Similar presentations

Ads by Google