A Survey on Security Issues in Service Delivery Models of Cloud Computing { S. Subashini and V. Kavitha (2011) Presented by: Anthony Postiglione
Outline Introduction What is Cloud Computing Pros/Cons of cloud computing Different types of delivery models Overview of security issues in delivery models Security issues in SaaS Security issues in PaaS Security issues in IaaS Current security solutions Conclusion
Introduction????? What is cloud computing? The practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or personal computer
Introduction Ñ Cloud computing benefits Ó Massively scalable Ó Cheaper than non cloud based solutions Ó Less overhead for consumers Ó Increased resiliency Ó Real- time detection of system tampering Ó On- demand security controls
Introduction Cloud computing drawbacks Accessibility vulnerabilities Virtualization vulnerabilities Web application vulnerabilities Physical access issues Privacy and control issues Identity and credential management Data verification, tampering, and integrity
Different Service Models SaaS (Software as a Service) PaaS (Platform as a Service) Provider licenses an application to the customer for use as a service on demand. Salesforce.com Focus of this paper Delivery of a computing platform and solution stack as a service. GoogleApps IaaS (Infrastructure as a Service) Clients buy resources (servers, software, data center space, network equipment) as a fully outsource service. Amazon web service
Overview of Security Issues in service models SaaS (Software as a Service) PaaS (Platform as a Service) How is your data being stored and secured? System availability and access Advantages can also be used as potential points of azack for hackers IaaS (Infrastructure as a Service) Most IaaS suppliers only provide basic levels of security, forcing the client to manage the application side security
Security Issues in SaaS Data security Network security Data locality Data integrity Data segregation Data access Authentication and authorization Data confidentiality Web application security Data breaches Virtualization vulnerability Availability Backup Identity management and sign- on processes
Security Issues in SaaS: Data and Network Security Service providers must adopt additional security checks to ensure data security Common issues: All data flow over network must be secured to prevent leakage of sensitive information Application vulnerabilities Malicious employees/users Secure Socket Layer (SSL) Transport Layer Security (TLS) Amazon Web Service (S3) approach End to end encryption
Security Issues in SaaS: Network Security All data flow over network must be secured to prevent leakage of sensitive information Amazon Web Service approach Secure Socket Layer (SSL) Transport Layer Security (TLS) End to end encryption Common tests to validate security Network penetration and packet analysis Session management weaknesses Insecure SSL trust configuration
Security Issues in SaaS: Data Locality and Integrity Locality Where is your data being stored? Export issues Potentially sensitive information Whose jurisdiction does it fall under? Integrity Generally there is a mix of on- premise and SaaS applications One of the biggest challenges is transaction management No current mature standard for handling this issue Different levels of availability and SLA (service- level agreement)
Security Issues in SaaS: Data Integrity Generally there is a mix of on- premise and SaaS applications One of the biggest challenges is transaction management No current mature standard for handling this issue Different levels of availability and SLA (service- level agreement)
Security Issues in SaaS: Data Segregation, Access, Authentication Segregation Multiple users data will reside in same physical location Intrusion can occur from: Ô Ô Clear boundary for data is a MUST at both application and physical levels Access Hacking through loopholes in the application Injecting client code into SaaS system In a normal environment, not all employees have the same level of access to data on their companies network. SaaS providers must allow for the same functionality as well as providing organizational boundaries. Authentication Who is managing it? Potential increase in overhead
Security Issues in SaaS: Data Access In a normal environment, not all employees have the same level of access to data on their companies network. SaaS providers must allow for the same functionality as well as providing organizational boundaries.
Security Issues in SaaS: Authentication and Authorization In a normal environment, companies store employee information in some type of Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) These accounts must be mirrored in SaaS providers servers Causes additional overhead for customer Utilizing more SaaS products increases overhead greatly
Security Issues in SaaS: Data Confidentiality Many types of cloud computing services exist Data storage, video hosting, tax preparation, personal health record, etc. Privacy and confidentiality risks vary significantly depending on terms of service Disclosure issues Legal issues Protections exist for emails and other computer records, but it is difficult to apply these to cloud computing Electronic Communications Privacy Act of 1986 (ECPA) Why is it difficult to apply these protections?
Security Issues in SaaS: Data Confidentiality Why is it difficult to apply ECPA to cloud computing? Characterization of activity as communication or storage is complicated Is the information content or non- content? Cloud provider terms of service User granted consent Identity of service provider
Security Issues in SaaS: Web Application Security Customers access SaaS software via the web Security holes in the web applications used by SaaS providers create vulnerabilities Traditional network security solutions do not adequately address problem Verizon Business 2008 Data Breach Investigation Report 59% of breaches involved hacking Ô Ô Ô Ô Ô Application/service layer 39% OS/platform layer 23% Exploit known vulnerability 18% Exploit unknown vulnerability 5% Use of back door 15%
Security Issues in SaaS: Web Application Security If web application in use by SaaS provider is vulnerable to a type of azack, all of the data behind the application is at risk Top risk factors faced by web applications Injection flaws like SQL, OS, and LDAP Cross- Site scripting Broken authentication and session management Insecure direct object references Cross- site request forgery Security misconfiguration
Security Issues in SaaS: Data Breaches Data breaches in the cloud can have a large impact An azack on a cloud environment risks the data from all users being affected Verizon Business 2008 Data Breach Investigation Report Ô Ô Ô External criminals pose greatest threat (73%) but achieve least impact Insiders pose the least threat (18%) but achieve the greatest impact Partners are middle of the pack in both threat and impact
Security Issues in SaaS: Virtualization and Backups Virtualization Virtualization is one of the main components of the cloud Keeping instances running on the same machine isolated is a major task, currently not met completely. Administrators must keep tight control on host and guest operating systems Ô Malicious scripts run by users can exploit holes in virtualization Backup SaaS vendors must ensure all sensitive data is regularly backed up for recovery purposes. Encryption is not guaranteed Problems include Ô Ô Insecure storage Insecure configuration
Security Issues in SaaS: Availability SaaS vendors must be able to guarantee service around the clock Resiliency to hardware and software failures as well as DDoS azacks need to be built from ground up Geographic diversity is important
Security Issues in SaaS: Identity Management
Security Issues in PaaS Any security below the application level (host and network intrusion prevention, data segregation between applications) is still in the scope of the service provider Tends to be more extensible but less customer- ready features (including security features and capabilities) Likely areas of azack Infrastructure Machine- to- machine Service Oriented Architecture (SOA) applications
Security Issues in IaaS Developer has bezer control over security Virtualization causes issues Retaining control over data regardless of physical location Physical security Security responsibilities vary greatly depending on service provider Amazon (EC2) as an example
Security Issues in IaaS Public Cloud Private/ Community Cloud Infrastructure Management Third party provider Organization or third- party provider Hybrid Cloud Both organization and third party provider Infrastructure Ownership Third- Party provider Organization or third- party provider Infrastructure Location Off- premise On- premise or off premise Access and Consumption Untrusted Trusted Both Both Trusted and untrusted
Current Security Solutions Cloud Security Alliance Working towards bezer standards and best practices Open Web Application Security Project Maintains an up to date list of top vulnerabilities Best approach to security is developing a framework that has a tough security architecture Resource isolation Using encrypted protocols
Conclusion Cloud- based computing systems have some extreme advantages over traditional systems, but have many practical problems Outstanding issues include Service level agreement discrepancies Security and privacy Power efficiency Until proper security procedures are in place, many customers will stay away from cloud- based solutions Integrated security models targeting different levels of security of data is an important step in the process Requirement based (customizable) security. With the increase of cloud- based computing, security issues are becoming increasingly important to fix
Thanks! Questions/Comments? Anthony Postiglione Email: avp275@mst.edu [SK2011] S. Subashini and V. Kavitha, A survey on security issues in service delivery models of cloud computing, Journal of Network and Computer Applications, Volume 34, Issue 1, pp. 1-11, January 2011.