A Survey on Security Issues in Service Delivery Models of Cloud Computing

Similar documents
Security Issues in Cloud Computing

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

Analysis of Privacy Challenges and Security Concerns in Cloud Computing Varun Shukla Department of EC, PSIT

SRG Security Services Technology Report Cloud Computing and Drop Box April 2013

FACING SECURITY CHALLENGES

How To Protect Your Cloud Computing Resources From Attack

SERENA SOFTWARE Serena Service Manager Security

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

EXIN Cloud Computing Foundation

Cloud Security Who do you trust?

Cloud Security:Threats & Mitgations

Table of Contents. Page 2/13

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

Web App Security Audit Services

Cloud Security: An Independent Assessent

It ain t all fluffy and blue sky out there!

Cloud Courses Description

External Supplier Control Requirements

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

CLOUD COMPUTING AND ITS SECURITY ASPECTS

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

Risks and Challenges

Security Issues in Cloud Computing

Data Security Issues in Cloud Computing

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Cloud Computing for SCADA

A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Hedge Funds & the Cloud: The Pros, Cons and Considerations

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

05.0 Application Development

Cloud Security Who do you trust?

Cloud Computing. Cloud computing:

Addressing Cloud Computing Security Concerns

Enterprise level security, the Huddle way.

Privacy + Security + Integrity

CLOUD COMPUTING. DAV University, Jalandhar, Punjab, India. DAV University, Jalandhar, Punjab, India

Security & Trust in the Cloud

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen

Cloud Courses Description

Cloud Computing Governance & Security. Security Risks in the Cloud

Mobile Application Security Sharing Session May 2013

Security management in the internet era

Security Issues In Cloud Computing And Their Solutions

CHAPTER 8 CLOUD COMPUTING

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

A Survey on Cloud Security Issues and Techniques

THE BLUENOSE SECURITY FRAMEWORK

Cloud Computing. Chapter 1 Introducing Cloud Computing

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

How To Pass The Comptia Cloud Essentials Exam

CLOUD COMPUTING AND SECURITY: VULNERABILITY ANALYSIS AND PREVENTIVE SOLUTIONS

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Securing Your Data In The Cloud: an insiders perspective

The Magazine for IT Security. May issue 3. sör alex / photocase.com

Reducing Application Vulnerabilities by Security Engineering

Analytical Study of Cloud ERP and ERP

Cloud Computing. What we should be auditing

Keyword: Cloud computing, service model, deployment model, network layer security.

This is an RFI and not a RFQ or ITN. Information gathered will lead to possible RFQ/ITN. This is a general RFI for all proposed solutions.

Top 10 Cloud Risks That Will Keep You Awake at Night

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Module 1: Facilitated e-learning

The Private Cloud Your Controlled Access Infrastructure

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Information Auditing and Governance of Cloud Computing IT Capstone Spring 2013 Sona Aryal Laura Webb Cameron University.

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Cloud-Security: Show-Stopper or Enabling Technology?

NCTA Cloud Architecture

Implementing Microsoft Azure Infrastructure Solutions

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Security Considerations for Public Mobile Cloud Computing

D. L. Corbet & Assoc., LLC

White Paper: Librestream Security Overview

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Orchestrating the New Paradigm Cloud Assurance

Cloud Infrastructure Security

New Computing Models, and What They Mean to the Small and Mid-Sized Business Consumer

Capturing the New Frontier:

Cloud Computing. What is Cloud Computing?

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Security Framework for Cloud Computing Environment: A Review Ayesha Malik, Muhammad Mohsin Nazir

Fundamental Concepts and Models

Cloud Security & Risk Management PRESENTATION AT THE OPEN GROUP CONFERENCE

How To Perform An External Security Vulnerability Assessment Of An External Computer System

Cloud Computing and Amazon Web Services

TECHNOLOGY GUIDE THREE. Emerging Types of Enterprise Computing

Indexed Terms: attacks, challenges, cloud computing, countermeasures, hacker, security

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

ISSN: (Online) Volume 2, Issue 5, May 2014 International Journal of Advance Research in Computer Science and Management Studies

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

IJOART. 1. Introduction. 2. Evolution of Cloud Services

ISO 27002:2013 Version Change Summary

International Journal of Engineering Research & Management Technology

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis

Transcription:

A Survey on Security Issues in Service Delivery Models of Cloud Computing { S. Subashini and V. Kavitha (2011) Presented by: Anthony Postiglione

Outline Introduction What is Cloud Computing Pros/Cons of cloud computing Different types of delivery models Overview of security issues in delivery models Security issues in SaaS Security issues in PaaS Security issues in IaaS Current security solutions Conclusion

Introduction????? What is cloud computing? The practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or personal computer

Introduction Ñ Cloud computing benefits Ó Massively scalable Ó Cheaper than non cloud based solutions Ó Less overhead for consumers Ó Increased resiliency Ó Real- time detection of system tampering Ó On- demand security controls

Introduction Cloud computing drawbacks Accessibility vulnerabilities Virtualization vulnerabilities Web application vulnerabilities Physical access issues Privacy and control issues Identity and credential management Data verification, tampering, and integrity

Different Service Models SaaS (Software as a Service) PaaS (Platform as a Service) Provider licenses an application to the customer for use as a service on demand. Salesforce.com Focus of this paper Delivery of a computing platform and solution stack as a service. GoogleApps IaaS (Infrastructure as a Service) Clients buy resources (servers, software, data center space, network equipment) as a fully outsource service. Amazon web service

Overview of Security Issues in service models SaaS (Software as a Service) PaaS (Platform as a Service) How is your data being stored and secured? System availability and access Advantages can also be used as potential points of azack for hackers IaaS (Infrastructure as a Service) Most IaaS suppliers only provide basic levels of security, forcing the client to manage the application side security

Security Issues in SaaS Data security Network security Data locality Data integrity Data segregation Data access Authentication and authorization Data confidentiality Web application security Data breaches Virtualization vulnerability Availability Backup Identity management and sign- on processes

Security Issues in SaaS: Data and Network Security Service providers must adopt additional security checks to ensure data security Common issues: All data flow over network must be secured to prevent leakage of sensitive information Application vulnerabilities Malicious employees/users Secure Socket Layer (SSL) Transport Layer Security (TLS) Amazon Web Service (S3) approach End to end encryption

Security Issues in SaaS: Network Security All data flow over network must be secured to prevent leakage of sensitive information Amazon Web Service approach Secure Socket Layer (SSL) Transport Layer Security (TLS) End to end encryption Common tests to validate security Network penetration and packet analysis Session management weaknesses Insecure SSL trust configuration

Security Issues in SaaS: Data Locality and Integrity Locality Where is your data being stored? Export issues Potentially sensitive information Whose jurisdiction does it fall under? Integrity Generally there is a mix of on- premise and SaaS applications One of the biggest challenges is transaction management No current mature standard for handling this issue Different levels of availability and SLA (service- level agreement)

Security Issues in SaaS: Data Integrity Generally there is a mix of on- premise and SaaS applications One of the biggest challenges is transaction management No current mature standard for handling this issue Different levels of availability and SLA (service- level agreement)

Security Issues in SaaS: Data Segregation, Access, Authentication Segregation Multiple users data will reside in same physical location Intrusion can occur from: Ô Ô Clear boundary for data is a MUST at both application and physical levels Access Hacking through loopholes in the application Injecting client code into SaaS system In a normal environment, not all employees have the same level of access to data on their companies network. SaaS providers must allow for the same functionality as well as providing organizational boundaries. Authentication Who is managing it? Potential increase in overhead

Security Issues in SaaS: Data Access In a normal environment, not all employees have the same level of access to data on their companies network. SaaS providers must allow for the same functionality as well as providing organizational boundaries.

Security Issues in SaaS: Authentication and Authorization In a normal environment, companies store employee information in some type of Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) These accounts must be mirrored in SaaS providers servers Causes additional overhead for customer Utilizing more SaaS products increases overhead greatly

Security Issues in SaaS: Data Confidentiality Many types of cloud computing services exist Data storage, video hosting, tax preparation, personal health record, etc. Privacy and confidentiality risks vary significantly depending on terms of service Disclosure issues Legal issues Protections exist for emails and other computer records, but it is difficult to apply these to cloud computing Electronic Communications Privacy Act of 1986 (ECPA) Why is it difficult to apply these protections?

Security Issues in SaaS: Data Confidentiality Why is it difficult to apply ECPA to cloud computing? Characterization of activity as communication or storage is complicated Is the information content or non- content? Cloud provider terms of service User granted consent Identity of service provider

Security Issues in SaaS: Web Application Security Customers access SaaS software via the web Security holes in the web applications used by SaaS providers create vulnerabilities Traditional network security solutions do not adequately address problem Verizon Business 2008 Data Breach Investigation Report 59% of breaches involved hacking Ô Ô Ô Ô Ô Application/service layer 39% OS/platform layer 23% Exploit known vulnerability 18% Exploit unknown vulnerability 5% Use of back door 15%

Security Issues in SaaS: Web Application Security If web application in use by SaaS provider is vulnerable to a type of azack, all of the data behind the application is at risk Top risk factors faced by web applications Injection flaws like SQL, OS, and LDAP Cross- Site scripting Broken authentication and session management Insecure direct object references Cross- site request forgery Security misconfiguration

Security Issues in SaaS: Data Breaches Data breaches in the cloud can have a large impact An azack on a cloud environment risks the data from all users being affected Verizon Business 2008 Data Breach Investigation Report Ô Ô Ô External criminals pose greatest threat (73%) but achieve least impact Insiders pose the least threat (18%) but achieve the greatest impact Partners are middle of the pack in both threat and impact

Security Issues in SaaS: Virtualization and Backups Virtualization Virtualization is one of the main components of the cloud Keeping instances running on the same machine isolated is a major task, currently not met completely. Administrators must keep tight control on host and guest operating systems Ô Malicious scripts run by users can exploit holes in virtualization Backup SaaS vendors must ensure all sensitive data is regularly backed up for recovery purposes. Encryption is not guaranteed Problems include Ô Ô Insecure storage Insecure configuration

Security Issues in SaaS: Availability SaaS vendors must be able to guarantee service around the clock Resiliency to hardware and software failures as well as DDoS azacks need to be built from ground up Geographic diversity is important

Security Issues in SaaS: Identity Management

Security Issues in PaaS Any security below the application level (host and network intrusion prevention, data segregation between applications) is still in the scope of the service provider Tends to be more extensible but less customer- ready features (including security features and capabilities) Likely areas of azack Infrastructure Machine- to- machine Service Oriented Architecture (SOA) applications

Security Issues in IaaS Developer has bezer control over security Virtualization causes issues Retaining control over data regardless of physical location Physical security Security responsibilities vary greatly depending on service provider Amazon (EC2) as an example

Security Issues in IaaS Public Cloud Private/ Community Cloud Infrastructure Management Third party provider Organization or third- party provider Hybrid Cloud Both organization and third party provider Infrastructure Ownership Third- Party provider Organization or third- party provider Infrastructure Location Off- premise On- premise or off premise Access and Consumption Untrusted Trusted Both Both Trusted and untrusted

Current Security Solutions Cloud Security Alliance Working towards bezer standards and best practices Open Web Application Security Project Maintains an up to date list of top vulnerabilities Best approach to security is developing a framework that has a tough security architecture Resource isolation Using encrypted protocols

Conclusion Cloud- based computing systems have some extreme advantages over traditional systems, but have many practical problems Outstanding issues include Service level agreement discrepancies Security and privacy Power efficiency Until proper security procedures are in place, many customers will stay away from cloud- based solutions Integrated security models targeting different levels of security of data is an important step in the process Requirement based (customizable) security. With the increase of cloud- based computing, security issues are becoming increasingly important to fix

Thanks! Questions/Comments? Anthony Postiglione Email: avp275@mst.edu [SK2011] S. Subashini and V. Kavitha, A survey on security issues in service delivery models of cloud computing, Journal of Network and Computer Applications, Volume 34, Issue 1, pp. 1-11, January 2011.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information