Upload
bapuji-valaboju
View
54
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Cloud
Citation preview
CLOUD COMPUTING AND SECURITYCLOUD COMPUTING AND SECURITYBy By
V. HarshithV. Harshith
CLOUD COMPUTING AND SECURITYCLOUD COMPUTING AND SECURITYBy By
V. HarshithV. Harshith
• Location independent computing
• Shared servers resources, software, and data
• Elasticity (Use of computer resources Dynamically)
• Cost reduction
• Natural evolution of Cloud:– Virtualization
– Service-Oriented Architecture
– Utility computing
• Details are abstracted from consumers
Cloud ComputingCloud ComputingA Game Changing TechnologyA Game Changing Technology
Cloud ComputingCloud ComputingA Game Changing TechnologyA Game Changing Technology
Computing ParadigmsComputing ParadigmsComputing ParadigmsComputing Paradigms• Distributed Computing
– Cluster Computing
– Grid Computing
• Parallel Computing
– Super Computing
• Ubiquitous Computing
• Pervasive Computing
• Mobile Computing
• Utility Computing
• Soft Computing
• Cloud Computing
CLOUD COMPUTINGCLOUD COMPUTINGCLOUD COMPUTINGCLOUD COMPUTING
CLOUD COMPUTINGCLOUD COMPUTING CLOUD COMPUTINGCLOUD COMPUTING
Cloud computing is a synonym for distributed computing
. Cloud computing is an Internet-based
computing, whereby shared resources,
software and information are provided to
computers and other devices on-demand.
• Users simply rent or access the software.
• Paying only for what they use.
• Everything Old Becomes New Again
CharacteristicsCharacteristics
Cloud computing has a variety of characteristics
ON DEMAND SELF SERVICES.
Shared Infrastructure:
Enabling the sharing of physical services,
storage, and networking capabilities.
Dynamic Provisioning:
Based on current demand requirements
levels of reliability and security
• Network Access:
Access the internet from a broad range of
devices such as PCs, laptops, and mobile
devices, using standards-based APIs.
Managed Metering:
Managing and optimizing the service and to
provide reporting and billing information.
CLOUD SERVICE MODELSCLOUD SERVICE MODELS
SaaS ExamplesSaaS ExamplesSaaS ExamplesSaaS Examples• Email , photo sharing , Calendars and contactso Google Apps, Flickro BitTorrent
• Document sharingAmazon EC2
• Elastic Cloud Computing • virtual servers for rent• called Amazon Machine Images (AMIs)• priced on per hour from $1 to $2
• Gov-Apps, Internet Services
• Blogging/Surveys/Twitter, Social Networking
• Information/Knowledge Sharing (Wiki)
• Communication (e-mail), Collaboration (e-meeting)
• Productivity Tools (office)
• Enterprise Resource Planning (ERP)
PaaS PaaS PaaS PaaS •Application Development, Data, Workflow, etc.
•Security Services (Single Sign-On, Authentication, etc.)
•Database Management
•Directory Services
•Networks, Security, Mainframes, Servers, Storage
•Telecom Carrier Services
•IT Facilities/Hosting Services
Types of CloudsTypes of CloudsTypes of CloudsTypes of Clouds
•Public Cloud•Private Cloud•Hybrid Cloud
•Public Cloud•Private Cloud•Hybrid Cloud
Why Do We Need The Cloud ?Why Do We Need The Cloud ?Why Do We Need The Cloud ?Why Do We Need The Cloud ?
• Increased accessibility
• Decreased operating expenses
• Elimination of upfront costs
• Immediate upgrades
• Lower outages
Cloud Computing service providers predicts the
business will grow above 150 billion dollars by
end of 2013. Below is a partial list of companies
that provide cloud computing services.
• Cloud service providers can be considered
similar to silent business partners.
• Amazon • Citrix • cohensiveFT • Flexscale
• Google • IBM • Icloud • Joyent • Microsoft
• Mozyhome • Nivanix • Rackspace
• Salesforce.com • Sun • VMware • 3tera
BenefitsBenefitsBenefitsBenefits• Cost Savings
• Scalability/Flexibility
• Reliability
• Maintenance
• Mobile Accessible
What cloud gives us, generallyWhat cloud gives us, generallyWhat cloud gives us, generallyWhat cloud gives us, generally
• low initial capital investment
• shorter start-up time for new services
• lower maintenance and operation costs
• higher utilization through virtualization
• easier disaster recovery
Companies are still afraid to use cloudsCompanies are still afraid to use cloudsCompanies are still afraid to use cloudsCompanies are still afraid to use clouds
The Major Issue is SecurityThe Major Issue is Security
Cloud SecurityCloud SecurityCloud SecurityCloud Security
• Mobility is a basic need and essential for economic
development.
• To move critical applications and sensitive data to
public and shared cloud environments via Internet.
• Security is one of the most difficult task to
implement in cloud computing.
Where is the Data ?Where is the Data ?Where is the Data ?Where is the Data ?
• Different countries have different requirements
and controls placed on access.
• As your data is in the cloud, you may not realize
that the data must reside in a physical location.
• Your cloud provider should agree in writing to
provide the level of security required for its
customers.
Who has Access ?Who has Access ?Who has Access ?Who has Access ?
• Access control is a key concern as insider attacks
are a huge risk. Insider attacks are a huge concern
as a potential hacker is someone who has been
entrusted with approved access to the cloud.
• Anyone considering using the cloud needs to look
at who is managing their data and what types of
controls are applied to these individuals.
What are the regulatory requirements ?What are the regulatory requirements ?What are the regulatory requirements ?What are the regulatory requirements ?
• Organizations operating in the US, Canada, or the
European Union have many regulatory
requirements that they must abide by (e.g., ISO
27002, Safe Harbor, ITIL, and COBIT).
• We must ensure that the cloud provider is able to
meet these requirements and is willing to undergo
certification, accreditation, and review.
Do you have the right to audit?Do you have the right to audit?Do you have the right to audit?Do you have the right to audit?
• This particular item is no small matter in that the
cloud provider should agree in writing to the
terms of audit.
• With Cloud Computing maintaining compliance
will become more difficult to achieve and even
harder to demonstrate to auditors and assessors.
What type of training does the provider offer their What type of training does the provider offer their employees?employees?
What type of training does the provider offer their What type of training does the provider offer their employees?employees?
• This is actually a rather important item in that
people will always be the weakest link in security.
Knowing how your provider trains their employees
is an important issue to review.
What type of data classification doesWhat type of data classification doesthe provider use?the provider use?
What type of data classification doesWhat type of data classification doesthe provider use?the provider use?
• How is your data separated from other users?
• Encryption should also be discussed. Is it being
used while the data is at rest and in transit?
• You will also want to know what type of encryption
is being used.
• As an example, there is a big difference between
WEP and WPA2. (WiFi Protected Access-II)
What is in the SLA?What is in the SLA?What is in the SLA?What is in the SLA?
• The SLA (Service Level Agreement) serves as a
contracted level of guaranteed service between
the cloud provider and the customer that
specifies what level of services will be provided.
What is the long term viability of the provider?What is the long term viability of the provider?What is the long term viability of the provider?What is the long term viability of the provider?
• How long has the cloud provider been in business
and what is their track record. If they go out of
business, what , happens to your data? Will your
data be returned, and if so, what format?
What happens if there is a security breach?What happens if there is a security breach?What happens if there is a security breach?What happens if there is a security breach?
• If a security incident occurs, what support the
customer receive from the cloud provider?
• While many providers promote their services as
being un-hackable, cloud based services are an
attractive target to hackers.
Critical Threats of Cloud Security Critical Threats of Cloud Security Critical Threats of Cloud Security Critical Threats of Cloud Security
• Account Hijacking
• Denial of Service (DoS)
• Data Loss
• Insecure APIs
• Data Breaches
• Malicious Insiders
• Abuse of Cloud Services
• Shared Technology Issues
Security AttributesSecurity AttributesSecurity AttributesSecurity Attributes
• Confidentiality
• Integrity
• Authentication
• Non-Repudiation
• Availability
Cloud Computing AttacksCloud Computing AttacksCloud Computing AttacksCloud Computing Attacks
Account HijackingAccount HijackingAccount HijackingAccount Hijacking
• Authentication Attacks
• Authentication plays a critical role in the security of
web applications.
• When a user provides his login name and password
to authenticate and prove his identity, the application
assigns the user specific privileges to the system,
based on the identity established by the supplied
credentials.
Denial of Service (DoS)Denial of Service (DoS)Denial of Service (DoS)Denial of Service (DoS)
• Main aim to stop the victim’s machine from doing
it’s required job
• Server unable to provide service to legitimate
clients
Damage done varies from minor inconvenience to
major financial losses
Man in the Middle Attack (MitM)Man in the Middle Attack (MitM)Man in the Middle Attack (MitM)Man in the Middle Attack (MitM)
• A man in the middle attack is one in which the attacker
intercepts messages in a public key exchange and
then retransmits them, substituting his own public key
for the requested one, so that the two original parties
still appear to be communicating with each other.
Side Channel AttackSide Channel AttackSide Channel AttackSide Channel Attack
• Information leakage from implementation
• Attacker Try to Scan Channel loops.
• Everything must have a beginning, to speak in
Sanchean phrase; and that beginning must be
linked to something that went before. Hindus
gives the world an elephant to support it, but they
make the elephant stand upon a tortoise.
• Invention , it must be humbly admitted, does not
consist in creating out of void, but of chaos; the
material must, in the first place, be afforded …
Common cloud names and ShapesCommon cloud names and ShapesCommon cloud names and ShapesCommon cloud names and Shapes
Cloud typesCloud typesCloud typesCloud types
Thank You Thank You Thank You Thank You