The Security and Privacy Threats to Cloud Computing
1. Introduction to Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Project for Trustworthy Cloud Computing and Conclusion
Bibliography
The Security and Privacy Threats
to
Cloud Computing
Ankit Singh
Frankfurt am Main, Germany
April 23, 2012
Ankit Singh The Security and Privacy Threats to Cloud Computing
2. Introduction to Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Project for Trustworthy Cloud Computing and Conclusion
Bibliography
1 Introduction to Cloud Computing
Cloud Computing Example
Three Cloud Service Models
Threats to Cloud Computing
2 In-depth Security Analysis for Cloud Computing [2]
Security weakness in Cloud Computing
Data protection requirements for cloud computing services
Government and the Cloud
3 Project for Trustworthy Cloud Computing and Conclusion
The TClouds Project
Conclusion of the Talk
4 Bibliography
Ankit Singh The Security and Privacy Threats to Cloud Computing
3. Introduction to Cloud Computing
Cloud Computing Example
In-depth Security Analysis for Cloud Computing [2]
Three Cloud Service Models
Project for Trustworthy Cloud Computing and Conclusion
Threats to Cloud Computing
Bibliography
Quick Introduction to Cloud Computing I
“Cloud computing is a term from information technology (IT) and
means that software, memory capacity and computer power can be
accessed via a network, for instance, the Internet or within a
Virtual Private Network (VPN), as and when it is needed.
The IT landscape (e.g. data processing centre, data storage
facilities, e-mail and collaboration software, development
environments and special software such as Customer Relationship
Management [CRM]) is no longer owned and run by the company
or institution, but is a service which can be rented from one or
more cloud service providers” [1]
Ankit Singh The Security and Privacy Threats to Cloud Computing
4. Introduction to Cloud Computing
Cloud Computing Example
In-depth Security Analysis for Cloud Computing [2]
Three Cloud Service Models
Project for Trustworthy Cloud Computing and Conclusion
Threats to Cloud Computing
Bibliography
Cloud Computing Example I
Figure: Cloud Computing Example (adapted from wikipedia)
Ankit Singh The Security and Privacy Threats to Cloud Computing
5. Introduction to Cloud Computing
Cloud Computing Example
In-depth Security Analysis for Cloud Computing [2]
Three Cloud Service Models
Project for Trustworthy Cloud Computing and Conclusion
Threats to Cloud Computing
Bibliography
Three Cloud Service Models [1] [2] I
Software as a Service (SaaS): Users as consumers.
e.g. Accounting, collaboration tools, CRM etc.
Platform as Service (PaaS): Data processing services.
e.g Google App Engine and Microsoft Azure Platform.
Infrastructure as Service (IaaS): Hosting services.
e.g webspaces like Amazon EC2, Go Daddy etc.
- The Cloud Computing Service models viewed as layers in same
sequence shown above.
- These models are deployed on top of cloud infrastructure as
defined by NIST’s [3].
Ankit Singh The Security and Privacy Threats to Cloud Computing
6. Introduction to Cloud Computing
Cloud Computing Example
In-depth Security Analysis for Cloud Computing [2]
Three Cloud Service Models
Project for Trustworthy Cloud Computing and Conclusion
Threats to Cloud Computing
Bibliography
List of Threats to Cloud Computing [4] I
1 Abuse of Cloud computing: Effected Services:- Iaas, PaaS:
- Absuing service due to anonymity due to loose registration
and validation process.
- Adversaries usage the models for spamming, writing
malicious code etc.
2 Insecure Interfaces and APIs: Effected Services:-
IaaS, Paas, SaaS:
- Interfaces or APIs provided by service providers to customers
to manage and interact with cloud services.
- The security and availability of cloud services is dependent
upon the security of these basic API’s.
- Interfaces must be designed to protect against accidental
and malicious attempts to mislead the policy.
Ankit Singh The Security and Privacy Threats to Cloud Computing
7. Introduction to Cloud Computing
Cloud Computing Example
In-depth Security Analysis for Cloud Computing [2]
Three Cloud Service Models
Project for Trustworthy Cloud Computing and Conclusion
Threats to Cloud Computing
Bibliography
List of Threats to Cloud Computing [4] II
3 Malicious Insiders: Effected Services:- Iaas, Paas, SaaS:
- An adversary can harvest confidential data or gain complete
controls over cloud services depending on the level of access.
4 Shared Technology Issues: Effected Services:- IaaS:
- The disk partitions, CPU caches and GPUs and other shared
elements were never designed for strong
compartmentalization.
- A virtualization hypervisor addresses this gap which
mediates access between guest operating systems and physical
compute resources.
- The hypervisors have the flaw which may result in gaining
inappropriate levels of control or influence on the underlying
platform.
Ankit Singh The Security and Privacy Threats to Cloud Computing
8. Introduction to Cloud Computing
Cloud Computing Example
In-depth Security Analysis for Cloud Computing [2]
Three Cloud Service Models
Project for Trustworthy Cloud Computing and Conclusion
Threats to Cloud Computing
Bibliography
List of Threats to Cloud Computing [4] III
5 Data Loss or Leakage: Effected Services:- IaaS, PaaS, SaaS:
- Deletion or alteration of records without a backup of the
original content.
- Unlinking a record from a larger context may render it
unrecoverable.
- Unauthorized parties must be prevented from gaining access
to sensitive data.
- Examples: Insufficient authentication, authorization and
audit (AAA) controls
Ankit Singh The Security and Privacy Threats to Cloud Computing
9. Introduction to Cloud Computing
Cloud Computing Example
In-depth Security Analysis for Cloud Computing [2]
Three Cloud Service Models
Project for Trustworthy Cloud Computing and Conclusion
Threats to Cloud Computing
Bibliography
List of Threats to Cloud Computing [4] IV
6 Account or Service Hijacking: Effected Services:-
IaaS, PaaS, SaaS:
- Attack methods such as phishing, fraud and exploitation of
software vulnerabilities still achieve results. Credentials and
passwords are often reused.
7 Unknown Risk Profile: Effected Services:- IaaS, PaaS, SaaS:
- Versions of software, code updates, security practices,
vulnerability profiles, intrusion attempts are the factors for
estimating company’s security posture.
- Some questions which need to addressed like how data and
related logs are stored and who has access to them? what
information may be disclosed in case of security breach? etc.
Ankit Singh The Security and Privacy Threats to Cloud Computing
10. Introduction to Cloud Computing
Security weakness in Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Data protection requirements for cloud computing services
Project for Trustworthy Cloud Computing and Conclusion
Government and the Cloud
Bibliography
Security weakness in Cloud Computing I
Cloud Providers fail to provide encryption to their users:
- Cloud service providers not providing encrypted access to
their Web applications
Man in the middle attacks:
-Attackers redirects traffic between a client and a server
through him.
- Achieved by forging DNS packets, DNS cache poisoning, or
ARP spoofing.
- Prevention: DNSSEC and HTTPS/TLS are two
technologies which can prevent this attack.
Ankit Singh The Security and Privacy Threats to Cloud Computing
11. Introduction to Cloud Computing
Security weakness in Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Data protection requirements for cloud computing services
Project for Trustworthy Cloud Computing and Conclusion
Government and the Cloud
Bibliography
Security weakness in Cloud Computing II
Data encryption caveats:
- Where will the encryption key be stored?
- Where will the encryption and decryption processes be
performed?
User interface attacks:
- A Web browser is used for accessing Web applications. Thus,
browser’s user interface becomes an important security factor.
- Example: An attacker tries to fool the user into thinking
that she is visiting a real website instead of a forgery.
Techniques used here include fake HTTPS lock icons.
Ankit Singh The Security and Privacy Threats to Cloud Computing
12. Introduction to Cloud Computing
Security weakness in Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Data protection requirements for cloud computing services
Project for Trustworthy Cloud Computing and Conclusion
Government and the Cloud
Bibliography
Research Recommendations by ENISA [5] I
Research recommendations by European Network and Information
Security Agency (ENISA):
Building Trust in the Cloud:
Certification processes and standards for clouds: COBIT (52),
ITIL (53) etc.
Metrics for security in cloud computing
Effects of different forms of reporting breaches on security
Increasing transparency while maintaining appropriate levels of
security
End-to-end data confidentiality
Extending cloud-based trust to client-based data and
applications
Data Protection in Large-Scale Cross-Organizational
Systems:
Ankit Singh The Security and Privacy Threats to Cloud Computing
13. Introduction to Cloud Computing
Security weakness in Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Data protection requirements for cloud computing services
Project for Trustworthy Cloud Computing and Conclusion
Government and the Cloud
Bibliography
Research Recommendations by ENISA [5] II
Data destruction and lifecycle management
Integrity Verification - of backups and archives in the cloud
and their version management
Forensics and evidence gathering mechanisms
Incident resolution and rules of evidence
International differences in relevant regulations, including data
protection and privacy i.e legal means to facilitate the smooth
functioning of multi-national cloud infrastructures.
Lage-Scale Computer Systems Engineering:
Security in depth within large-scale distributed computer
systems
Security services in the cloud i.e adaptation of traditional
security perimeter control technologies to the cloud like HSM,
web filters, firewalls, IDS etc.
Ankit Singh The Security and Privacy Threats to Cloud Computing
14. Introduction to Cloud Computing
Security weakness in Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Data protection requirements for cloud computing services
Project for Trustworthy Cloud Computing and Conclusion
Government and the Cloud
Bibliography
Research Recommendations by ENISA [5] III
Resource isolation mechanisms - data, processing, memory,
logs, etc.
Interoperability between cloud providers
Portability of VM, data and VM security settings from one
cloud provider to another (to avoid vendor lock-in), and
maintaining state and session in VM backups.
Standardization of interfaces to feed data, applications and
whole systems to the cloud.
Resource (bandwidth and CPU, etc) provisioning and
allocation at scale (elasticity)
Scalable security management (policy and operating
procedures) within cloud platforms
Ankit Singh The Security and Privacy Threats to Cloud Computing
15. Introduction to Cloud Computing
Security weakness in Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Data protection requirements for cloud computing services
Project for Trustworthy Cloud Computing and Conclusion
Government and the Cloud
Bibliography
Government and the Cloud [2] I
United States: One of the most important legal tools used
by the U.S. Government to force cloud providers to hand
them users’ private data is the third-party doctrine. Other
relevant laws include the Wiretap Act, the All Writs Act and
the Foreign Intelligence Surveillance Act.
Example: Facebook can provide complete profile information
and uploaded photos to law enforcement irrespective of her
privacy
Ankit Singh The Security and Privacy Threats to Cloud Computing
16. Introduction to Cloud Computing
Security weakness in Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Data protection requirements for cloud computing services
Project for Trustworthy Cloud Computing and Conclusion
Government and the Cloud
Bibliography
Government and the Cloud [2] II
Germany: §§111 and 112 of the 2004 Telecommunications
Act (Telekommunikationsgesetz in German) allow the
government to force telecommunication service providers
(which include cloud service providers like webmail) to hand
over information such as a customer’s name, address,
birthdate, and email address, without a court order, through
an automated query system that includes a search function in
case law enforcement has incomplete request data.
Example: court-ordered surveillance in Germany is the Java
Anonymous Proxy (JAP), which is an open source software
for anonymously browsing websites.
Ankit Singh The Security and Privacy Threats to Cloud Computing
17. Introduction to Cloud Computing
In-depth Security Analysis for Cloud Computing [2] The TClouds Project
Project for Trustworthy Cloud Computing and Conclusion Conclusion of the Talk
Bibliography
The TClouds Project I
Trustworthy Clouds - TClouds is a European Commission funded
project.
GOAL: To develop a trustworthy cloud computing infrastructure,
which enables a comprehensible and audit proof processing of
personal or otherwise sensitive data in a cloud without limiting the
solution to just a physically separated private cloud [6].
Target Scenarios:
Energy Sector: Potugal’s leading energy supplier Energias de
Portugal (EDP) and electronics company EFACEC in field of
smart power grid
Healthcare Sector: Italian hospital San Raffaele in Milano
Ankit Singh The Security and Privacy Threats to Cloud Computing
18. Introduction to Cloud Computing
In-depth Security Analysis for Cloud Computing [2] The TClouds Project
Project for Trustworthy Cloud Computing and Conclusion Conclusion of the Talk
Bibliography
The TClouds Project II
Techinical Implementation: Focuses on communication
protocols between different cloud service providers, new open
security standards, APIs and effective management components for
cloud security.
Ankit Singh The Security and Privacy Threats to Cloud Computing
19. Introduction to Cloud Computing
In-depth Security Analysis for Cloud Computing [2] The TClouds Project
Project for Trustworthy Cloud Computing and Conclusion Conclusion of the Talk
Bibliography
Conclusion I
Cloud computing is a upcoming field due to attractive services
provided by cloud computing service providers.
Privacy and data security are the biggest challenges when it
comes to storing and processing critical business or personal
data in a cloud.
There are many challenges that we can only face if we
understand what we are dealing with, how it may a affect us
and which possible solutions exist.
We must convince cloud providers and users of the
importance of implementing available security technologies.
Ankit Singh The Security and Privacy Threats to Cloud Computing
20. Introduction to Cloud Computing
In-depth Security Analysis for Cloud Computing [2] The TClouds Project
Project for Trustworthy Cloud Computing and Conclusion Conclusion of the Talk
Bibliography
Conclusion II
The requirements of national and international data
protection laws are a major concern. As a consequence, this
leads to a stronger market growth of just so-called private and
community clouds which are aligned more to the specific
requirements of single customers or a narrowly defined user
group.
The data which are sensitive and private should be avoided to
put on the cloud due to current security threats.
Ankit Singh The Security and Privacy Threats to Cloud Computing
21. Introduction to Cloud Computing
In-depth Security Analysis for Cloud Computing [2]
Project for Trustworthy Cloud Computing and Conclusion
Bibliography
Bibliography I
SWISS - Guide to cloud computing, Federal Data Protection and Information Commissioner FDPIC.
Security, Privacy and Cloud Computing, Jose Tomas Robles Hahn, Future Internet Seminar - Winter Term
2010/2011, Chair for Network Architectures and Services, Faculty of Computer Science, Technische
Universit¨t M¨nchen.
a u
National Institute of Standards and Technology, U.S. Department of Commerce, Guidelines on Securtiy and
Privacy in Public Cloud Computing, Wayne Jansen, Timothy Grance.
Top Threats to Cloud Computing 2010, Prepared by the Cloud Security Alliance, March 2010
Cloud Computing, Benefits, risks and recommendations for information security, European Network and
Information Security Agency.
Trustworthy Clouds (TClouds) - Privacy meets Innovation by Eva Schlehahn and Marit Hansen,
Independent Centre for Privacy Protection Schleswig-Holstein, Germany.
Cloud security alliance (CSA) https://cloudsecurityalliance.org/ Last Access: April 23, 2012
Ankit Singh The Security and Privacy Threats to Cloud Computing