Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture XIV: Cloud Software Security CS 4593 Cloud-Oriented Big Data and Software Engineering.

Published byImogen Newton Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture XIV: Cloud Software Security CS 4593 Cloud-Oriented Big Data and Software Engineering."— Presentation transcript:

1 Lecture XIV: Cloud Software Security CS 4593 Cloud-Oriented Big Data and Software Engineering

2 Cloud Computing Parts NIST defines cloud computing by: 5 essential characteristics 3 cloud service models 4 cloud deployment models 2

3 Essential Characteristics On-demand service Get computing capabilities as needed automatically Broad Network Access Services available over the net using desktop, laptop, PDA, mobile phone 3

4 Essential Characteristics Resource pooling Provider resources pooled to server multiple clients Rapid Elasticity Ability to quickly scale in/out service Measured service control, optimize services based on metering 4

5 Cloud Service Models Software as a Service (SaaS) We use the provider apps User doesn’t manage or control the network, servers, OS, storage or applications Platform as a Service (PaaS) User deploys their apps on the cloud Controls their apps User doesn’t manage servers, IS, storage 5

6 Cloud Service Models Infrastructure as a Service (IaaS) Consumers gets access to the infrastructure to deploy their stuff Doesn’t manage or control the infrastructure Does manage or control the OS, storage, apps, selected network components 6

7 Deployment Models Public Cloud infrastructure is available to the general public, owned by org selling cloud services Private Cloud infrastructure for single org only, may be managed by the org or a 3 rd party, on or off premise 7

8 Deployment Models Community Cloud infrastructure shared by several orgs that have shared concerns, managed by org or 3 rd party Hybrid Combo of >=2 clouds bound by standard or proprietary technology 8

9 AvailabilityConfidentialityIntegrity Basic Security 9

10 Confidentiality 10

11 Integrity 11

12 Availability 12

13 Cloud Security !! A major Concern Security concerns arising because both customer data and program are residing at Provider Premises. Security is always a major concern in Open System Architectures Customer Customer Data Customer Code Provider Premises 13

14 Security Is the Major Challenge 14

15 Why Cloud Computing brings new threats? Traditional system security mostly means keeping bad guys out The attacker needs to either compromise the auth/access control system, or impersonate existing users 15

16 Why Cloud Computing brings new threats? Cloud Security problems are coming from : Loss of control Lack of trust (mechanisms) Multi-tenancy These problems exist mainly in 3rd party management models Self-managed clouds still have security issues, but not related to above 16

17 Why Cloud Computing brings new threats? Consumer’s loss of control Data, applications, resources are located with provider User identity management is handled by the cloud User access control rules, security policies and enforcement are managed by the cloud provider Consumer relies on provider to ensure Data security and privacy Resource availability Monitoring and repairing of services/resources 17

18 Why Cloud Computing brings new threats? Multi-tenancy : Multiple independent users share the same physical infrastructure So, an attacker can legitimately be in the same physical machine as the target 18

19 Who is the attacker? Insider? Malicious employees at client Malicious employees at Cloud provider Cloud provider itself Outsider? Intruders Network attackers? 19

20 Attacker Capability: Malicious Insiders At client Learn passwords/authentication information Gain control of the VMs At cloud provider Log client communication 20

21 Attacker Capability: Cloud Provider What? Can read unencrypted data Can possibly peek into VMs, or make copies of VMs Can monitor network communication, application patterns 21

22 Attacker Capability: Outside attacker What? Listen to network traffic (passive) Insert malicious traffic (active) Probe cloud structure (active) Launch DoS 22

23 Challenges for the attacker How to find out where the target is located How to be co-located with the target in the same (physical) machine How to gather information about the target 23

24 Perimeter Security Model 24

25 Perimeter Security with Cloud Computing? 25

26 Perimeter Security Model Broken Threats Including the cloud in your perimeter Lets attackers inside the perimeter Prevents mobile users from accessing the cloud directly Not including the cloud in your perimeter Essential services aren’t trusted No access controls on cloud Countermeasures Drop the perimeter model! 26

27 Integrating Provider and Customer Security Threat Disconnected provider and customer security systems Fired employee retains access to cloud Misbehavior in cloud not reported to customer Countermeasures At least, integrate identity management Consistent access controls Better, integrate monitoring and notifications Notes Can use SAML, LDAP, RADIUS, XACML, IF-MAP, etc. 27

28 Failures in Provider Security Explanation Provider controls servers, network, etc. Customer must trust provider’s security Countermeasures Verify and monitor provider’s security Notes Outside verification may suffice For small business, provider security may exceed customer security 28

29 Security Issues from Virtualization Virtualization providers provide is using- ParaVirtualization or full system virtualization. Instance Isolation: ensuring that Different instances running on the same physical machine are isolated from each other. Control of Administrator on Host O/s and Guest o/s. Current VMs do not offer perfect isolation: Many bugs have been found in all popular VMMs that allow to escape from VM! Virtual machine monitor should be ‘root secure’, meaning that no level of privilege within the virtualized guest environment permits interference with the host system. 29

30 Attacks by Other Customers Threats Provider resources shared with untrusted parties CPU, storage, network Customer data and applications must be separated Countermeasures Hypervisors for compute separation MPLS, VPNs, VLANs, firewalls for network separation Cryptography (strong) Application-layer separation (less strong) 30

31 Legal and Regulatory Issues Threats Laws and regulations may prevent cloud computing Requirements to retain control Certification requirements not met by provider Geographical limitations – EU Data Privacy New locations may trigger new laws and regulations Countermeasures Evaluate legal issues Require provider compliance with laws and regulations Restrict geography as needed 31

32 Security Stack IaaS: entire infrastructure including facilities PaaS: application, Middleware, database, messaging supported by IaaS SaaS: self contained operating environment: content, presentation, apps, mgt 32

33 Key Takeaways SaaS Service levels, security, governance, compliance, liability expectations of the service & provider are contractually defined PaaS, IaaS Customer sysadmins manage the same with provider handling platform, infrastructure security 33

34 Governance Identify, implement process, controls to maintain effective governance, risk management, compliance Provider security governance should be assessed for sufficiency, maturity, consistency with user ITSEC process 34

35 3 rd Party Governance Request clear docs on how facility & services are assessed Require definition of what provider considers critical services, info Perform full contract, terms of use due diligence to determine roles, accountability 35

36 Legal, e-Discovery Functional: which functions & services in the Cloud have legal implications for both parties Jurisdictional: which governments administer laws and regulations impacting services, stakeholders, data assets Contractual: terms & conditions 36

37 Legal, e-Discovery Both parties must understand each other’s roles Litigation hold, Discovery searches Expert testimony Provider must save primary and secondary (logs) data Where is the data stored? laws for cross border data flows 37

38 Legal, e-Discovery Plan for unexpected contract termination and orderly return or secure disposal of assets You should ensure you retain ownership of your data in its original form 38

39 Compliance & Audit Hard to maintain with your requirements, harder to demonstrate to auditors Right to Audit clause Analyze compliance scope Regulatory impact on data security Evidence requirements are met 39

40 Info Lifecycle Management Data security (CIA) Data Location All copies, backups stored only at location allowed by contract, SLA and/or regulation Compliant storage (EU mandate) for storing e- health records 40

41 Portability, Interoperability When you have to switch cloud providers Contract price increase Provider bankruptcy Provider service shutdown Decrease in service quality Business dispute 41

42 Security Centralization of data = greater insider threat from within the provider Require onsite inspections of provider facilities Disaster recover, Business continuity, etc 42

43 Data Center Ops How does provider do: On-demand self service Broad network access Resource pooling Rapid elasticity Measured service 43

44 Incident Response Different trust boundaries for IaaS, PaaS, Saas Cloud apps aren’t always designed with data integrity, security in mind Provider keep app, firewall, IDS logs? Provider deliver snapshots of your virtual environment? Sensitive data must be encrypted for data breach regulations 44

45 Application Security Different trust boundaries for IaaS, PaaS, Saas Provider web application security? Secure inter-host communication channel 45

46 Encryption, Key Management Encrypt data in transit, at rest, backup media Secure key store Protect encryption keys Ensure encryption is based on industry/govt standards. NO proprietary standard Limit access to key stores Key backup & recoverability Test these procedures 46

47 ID, Access Management Determine how provider handles: Authentication Authorization, user profile management 47

48 Mid-Term Exam & Final Exam Mid-term Oct 9 th 2015 In class: 3-3:50 100 points: 17.5% of the grade Final: Dec 10 th 2015 3:15-5:45 In class 100 points: 17.5% of the grade 48

49 Mid-Term Exam & Final Exam Question types Same for mid-term and final 10 multiple choice (50 points total) 3 question & answers (50 points total) 49

50 Exam Contents-Mid Term Cloud Computing Basic Characteristics Structures Deployment models Benefits Risks Differences between IAAS, PAAS, and SAAS 50

51 Exam Contents-Mid Term Challenges of Cloud-based SE Platform Choice Working with services Price Issues Deployment Models Runtime Software Evolution Testing and Monitoring 51

52 Exam Contents-Mid Term RESTful Web Services Structure of Restful Requests and Responses Structure of Restful Service Frameworks Annotations Rules of Path resolution SOAP-based Web Services Basic Structure What are SOAP, UDDI, and WSDL 52

53 Exam Contents-Mid Term Mashups What are mashups Benefit and drawbacks Software architecture Why architecture Styles Pipe-and-filter Layered Repository 53

54 Exam Contents-Mid Term Multi-tenant architecture Multi-tenant at different layers Multi-tenant database Pack table Private table Extension table Universal table Pivot table Chunk table Task queue pattern at logic layer 54

Download ppt "Lecture XIV: Cloud Software Security CS 4593 Cloud-Oriented Big Data and Software Engineering."

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Security Controls – What Works

Security Controls – What Works
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
Copyright © 2009 Juniper Networks, Inc. 1 Cloud Computing: Finding the Silver Lining Steve Hanna, Juniper Networks.

Copyright © 2009 Juniper Networks, Inc. 1 Cloud Computing: Finding the Silver Lining Steve Hanna, Juniper Networks.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.
Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.
Cloud Computing Security

Cloud Computing Security
Agenda Who needs an Architect? Cloud and Security Key Security Differences in Private Cloud Cloud Security Challenges Secondary to Essential Characteristics.

Agenda Who needs an Architect? Cloud and Security Key Security Differences in Private Cloud Cloud Security Challenges Secondary to Essential Characteristics.
Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security,

Copyright Marchany 2010 Cloud Computing Security Issues Randy Marchany, VA Tech IT Security,
M.A.Doman 2011. Model for enabling the delivery of computing as a SERVICE.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Similar presentations

Ads by Google