cloud computing final show
TRANSCRIPT
Wave of the Future…Presented by:Ahmed Taha Abdel_kariemMahmoud Mohamed Abd El SalamAhmed KandilSupervised
by:Dr. Ashraf Tamam
03/01/15
Demo ContentsINTRODUCTION
DEFINITION – HISTORY – ATTRIBUTES – CHARCTERSITICS – ADVANTAGE – DISADVENTAGE
CLOUD MODELSDELIVERY MODEL – DEPLOYMENT MODEL
CLOUD SECURITY AND PRIVACYSECURITY – PRIVACY – THREAT - TAXNOMY OF FEAR –
PROBLEM – SOLUTIONCOMMENTS OTHER ISSUE
WHY CC IMPORTANT – FUTURE WORK – CONCLUSION
What is Cloud Computing?new class of network based computing that
takes place over the Internet. hide the complexity and details of the underlying
infrastructure.
• Shared pool of configurable computing resources • Just a web browser and your account with password!
– Once you login, the device is “yours”.
What is Cloud Computing(Other)?
History of Cloud Computing?concept dated in
1960’s . term ‘Cloud’ used in early 1990’s.IBM detailed it in
2001.Amazon datacenters in 2005.
In 2007 Google, IBM stated large scale CC research project .in
2008 CC gained popularity.
Components of Cloud Computing :
Attributes Rapid deployment Low startup costs Costs based on usage Multi-tenant sharing
Cost (Sold on Demand) Ubiquitous:“always on!,anywhere,any place” Device and Location Independence Reliability Scalability Security
Cloud Computing characteristics
Sustainability Service is fully managed by the provider Homogeneity Virtualization Resilient Computing
Cloud Computing characteristics
Lower computer costs Improved performance(boot & run)Reduced software costsLatest version availability
Instant software updates Increased data reliability(sys crash &data)Improved document format compatibilityUniversal document access
Requires constant Internet – intranet connectionFeatures might be limitedStored data might not be secure Stored data can be lostGeneral Concerns(different protocols):
Infrastructure as a Service (IaaS) : Consumers gets access to the infrastructure to
deploy their stuff.
Platform as a Service (PaaS) :User Deploys customer-created applications to a cloud .
Software as a Service (SaaS) : Use provider’s applications over a network .
Public : Cloud infrastructure is available to the general public, owned by org selling cloud services
Private : Cloud infrastructure for single org only, may be managed by the organization or a 3rd party
Hybrid : Combo of >=2 clouds bound by standard technology (composition of two or more clouds )
Community : Cloud infrastructure shared by several orgs, managed by org or 3rd party
Public Cloud Cloud infrastructure made available to the general public.
Private CloudCloud infrastructure operated solely for an organization.
Hybrid Cloud Cloud infrastructure composed of two or more clouds
Community CloudCloud infrastructure shared by several organizations and supporting a specific community
Security is the necessary steps to protect a person or property from harm. (direct action - indirect action). [Reference: Lecture Notes]
Privacy rights are related to collection, use, disclosure, storage, and destruction of personal data , PII (Personally Identifiable Information).
1. Storage.2. Retention.3. Destruction.4. Auditing, monitoring and risk management.5. Privacy Breaches.
40
You can Full reliance on a third party to protect personal data (Data breaches have a cascading effects)
Many new risks and unknowns appears (complexity)
41
42
• Personal information should be managed as part of the data used by the organization
• Protection of personal information should consider the impact of the cloud on each phase
Research conducted by Cloud Security Alliance (CSA) in 2010 and 2013.The aim was to aid both cloud customers and cloud providers is to provide needed context to assist organizations in making educated risk management decisions regarding their cloud adoption strategies.
43
1. Threat #1: Abuse and Nefarious Use of Cloud Computing2. Threat #2: Insecure Interfaces and APIs3. Threat #3: Malicious Insiders4. Threat #4: Shared Technology Issues5. Threat #5: Data Loss or Leakage6. Threat #6: Account or Service Hijacking7. Threat #7: Unknown Risk Profile
[Reference: CSA: Top Threats to Cloud Computing V1.0 Prepared by the Cloud Security Alliance March 2010]
44
Problem: Criminals continue to leverage new technologies to improve their reach, avoid detection, and improve the effectiveness of their activities
Affected Layers:
Suggested Solutions:1. Stricter initial registration and validation processes.2. Enhanced credit card fraud monitoring and coordination.3. Comprehensive introspection of customer network traffic.4. Monitoring public blacklists for one’s own network blocks.
45
46
Problem: CSP expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption.
Affected Layers:
Suggested Solutions:1. Analyze the security model of cloud provider interfaces.2. Ensure strong authentication and access controls are 3. Implemented in concert with encrypted transmission.4. Understand the dependency chain associated with the API.
47
Problem: A CSP may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees.
Affected Layers:
Suggested Solutions:1. Enforce strict supply chain management and conduct a
comprehensive supplier assessment.2. Specify human resource requirements as part of legal contracts.3. Require transparency into overall information security and
management practices, as well as compliance reporting.4. Determine security breach notification processes.
48
Problem: IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (e.g.CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture.
Affected Layers:
Suggested Solutions:1. Implement security best practices for installation/configuration.2. Monitor environment for unauthorized changes/activity.3. Promote strong authentication and access control for administrative
access and operations.4. Enforce service level agreements for patching and vulnerability
remediation.5. Conduct vulnerability scanning and configuration audits
49
Problem: There are many ways to compromise data. Deletion or alteration of records without a backup of the original content is an obvious example. Unlinking a record from a larger context may render it unrecoverable, as can storage on unreliable media.
Affected Layers:
Suggested Solutions:1. Implement strong API access control.2. Encrypt and protect integrity of data in transit.3. Analyzes data protection at both design and run time.4. Implement strong key generation, storage and management, and
destruction practices.5. Contractually demand providers wipe persistent media before it is
released into the pool.6. Contractually specify provider backup and retention strategies.
50
Problem: Account and service hijacking, usually with stolen credentials, remains a top threat. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Credentials and passwords are often reused, which amplifies the impact of such attacks.
Affected Layers:
Suggested Solutions:1. Prohibit the sharing of account credentials between users and
services.2. Leverage strong two-factor authentication techniques where
possible.3. Employ proactive monitoring to detect unauthorized activity.4. Understand cloud provider security policies and SLAs.
Problem: When adopting a cloud service, the features and functionality may be well advertised, but what about details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging? How are your data and related logs stored and who has access to them? What information if any will the vendor disclose in the event of a security incident?
Affected Layers:
Suggested Solutions:1. Disclosure of applicable logs and data.2. Partial/full disclosure of infrastructure details (e.g., patch levels,
firewalls, etc.).3. Monitoring and alerting on necessary information.
1. Threat #1: Data Breaches (aka: Leakage)2. Threat #2: Data Loss3. Threat #3: Account or Service Hijacking 4. Threat #4: Insecure Interfaces and APIs5. Threat #5: Denial of Service6. Threat #6: Malicious Insiders7. Threat #7: Abuse and Nefarious Use of Cloud Computing8. Threat #8: Unknown Risk Profile9. Threat #9: Shared Technology Issues
[Reference: CSA, Top Threats Working Group, "The Notorious Nine", Cloud Computing Top Threats in 2013, February 2013]
52
Problem: Denial of Service attacks to prevent the users from using/accessing the Cloud Service either their data or applications.
Affected Layers:
Controls:1. CCM IS-04: Information Secuirty - Baseline Requirements2. CCM OP-03: Operations Management - Capacity/Resource
Planning3. CCM RS-07: Resiliency - Equipment Power Failures4. CCM SA-04: Security Archtecture - Application Se.
ConfidentialityFear of loss of control over dataWill sensitive data stored on a cloud remain confidential? Will the cloud provider itself be honest and won’t peek
into the data?
55
IntegrityHow do I know that the cloud provider is doing
the computations correctly?How do I ensure that the cloud provider really
stored my data without tampering with it?
56
AvailabilityWill critical systems go down at the client, if the
provider is attacked in a Denial of Service attack?What happens if cloud provider goes out of business?Would cloud scale well-enough?
57
Auditability and forensics it is Difficult to audit data held outside organization in a cloud also Forensics made difficult
•Privacy issues raised via massive data miningCloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients
• Increased attack surfaceo Attackers can now target the communication link
between cloud provider and client
60
Legal quagmire and transitive trust issuesIf cloud provider subcontracts to third party clouds,
will the data still be secure? (complying with regulations)
Most security problems comes from 3 reasons:Loss of controlLack of trust Multi-tenancy
Consumer’s loss of control :Data, applications, resources , User access
control rules, security policies are managed by CSP
Consumer relies on provider to ensure :Data security and privacy - Resource availability -
Monitoring and repairing of services/resources
People only trust when it pays Need for trust arises only in risky situations Trusting a third party requires taking risks
Cloud Computing brings new threats science users share same physical infrastructure so attacker can be in same physical machine as target
There is Conflict between tenants’ opposing goals so How to provide strong separation between tenants?
Minimize Loss of Control Monitoring - Utilizing different clouds -
Access control managementMinimize Lack of TrustPolicy Language - Certification
Minimize Multi-tenancyPrivate cloud - Strong separation
68
Requires an application-specific run-time monitoring and management tool for the consumer ( Enable both the provider and tenants to monitor the components in the cloud that are under their control)
Propose a multi-cloud (use services from different clouds) in which users Spread the risk - Increase redundancy - Increase chance of mission completion for critical apps.
Issues :Policy incompatibility - Data dependency between clouds - Data redundancy - spread your sensitive data .
Many possible layers of access control ( access to the cloud - access to servers - access to services .. etc )
Federated Identity Management: access control management burden still lies with the provider .
Consumer-managed access control : requiring less trust of the provider.
User on Amazon Cloud
1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card
1. Name2. E-mail3. Shipping Address
1. Name2. Billing Address3. Credit Card
1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card
1. Name2. E-mail3. Shipping Address
User on Amazon Cloud
1. Name2. E-mail3. Password4. Billing Address5. Shipping Address6. Credit Card
1. Name2. Billing Address3. Credit Card
Create policy language which is :(Machine-understandable - Easy to combine/merge and compare - Need a validation tool to check that the policy created in the standard language correctly reflects the policy creator’s intentions
• Create Some Certification : Some form of reputable, independent, comparable assessment and description of security features and assurance.• Risk assessment : Performed by certified third parties
Can’t really force the provider to accept less tenants Use Private cloud Use Strong isolation techniques. increase trust in the tenants Use SLAs (A service level agreement ) to enforce
trusted behavior
Big black box, nothing is visible , complexity.CSP can have malicious system admins who can violate
confidentiality and integrityconfidentiality, integrity, availability, and privacy issues.
78
79
Future worksThe mainstream adoption of cloud computing could cause
many problems for usersTrend of large vendors entering CC will accelerate rapidly. Still have to look for too many areas in open researches
like security, management … etc. Commercial offerings are proprietary and usually not open
for cloud systems research and development
Cloud computing is sometimes viewed as a reincarnation of the classic mainframe client-server model, However, it has too many attributes ,characteristics , advantages and disadvantages.
Cloud delivery models are Saas , Paas and Iaas, while Cloud deployment models are Public , Private , Hybrid and Community.
In Cloud computing security issues it may be helpful to identify the problems and approaches in terms of : Loss of control - Lack of trust - Multi-tenancy problems
Future works in CC are still have big issue in terms of security – management ….etc.
82