Security Issues in Cloud Computing



Similar documents
NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Network Access Control and Cloud Security

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Network Access Control and Cloud Security

Cloud Security:Threats & Mitgations

D. L. Corbet & Assoc., LLC

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

John Essner, CISO Office of Information Technology State of New Jersey

Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Managing Cloud Computing Risk

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

What Cloud computing means in real life

Cloud Infrastructure Security

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Cloud Computing; What is it, How long has it been here, and Where is it going?

How To Protect Your Cloud Computing Resources From Attack

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Cloud Security Introduction and Overview

SERENA SOFTWARE Serena Service Manager Security

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Fundamental Concepts and Models

Assessing Risks in the Cloud

Cloudy with Showers of Business Opportunities and a Good Chance of. Security. Transforming the government IT landscape through cloud technology

Cloud Computing Technology

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Lecture 10 Cloud Security. modified from slides of Lawrie Brown, Ragib Hasan, YounSun Cho, Anya Kim

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Computing Governance & Security. Security Risks in the Cloud

Seeing Though the Clouds

Standardizing Cloud Services for Financial Institutions through the provisioning of Service Level Agreements (SLAs)

Clinical Trials in the Cloud: A New Paradigm?

Cloud Courses Description

Security & Trust in the Cloud

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

journey to a hybrid cloud

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

Cloud Computing: Risks and Auditing

Cloud-Security: Show-Stopper or Enabling Technology?

Are You Prepared for the Cloud? Nick Kael Principal Security Strategist Symantec

Auditing Cloud Computing. A Security and Privacy Guide. Wiley Corporate F&A

NIST Cloud Computing Reference Architecture

Improving IT Service Management Architecture in Cloud Environment on Top of Current Frameworks

REVIEW ARTICLE. Received 21 February 2015 / Accepted 16 March INTRODUCTION

Cloud Security and Managing Use Risks

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

EXIN Cloud Computing Foundation

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

THE BLUENOSE SECURITY FRAMEWORK

Cloud Security Specialist Certification Self-Study Kit Bundle

CLOUD COMPUTING OVERVIEW

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Cloud Courses Description

Cloud Security. DLT Solutions LLC June #DLTCloud

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

PCI Compliance for Cloud Applications

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Addressing Cloud Computing Security Considerations

International Journal of Innovative Technology & Adaptive Management (IJITAM) ISSN: , Volume-1, Issue-5, February 2014

Top 10 Cloud Risks That Will Keep You Awake at Night

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Cloud Computing in a Regulated Environment

Cloud Computing A NIST Perspective & Beyond. Robert Bohn, PhD Advanced Network Technologies Division

Anatomy of a Cloud Computing Data Breach

SANS Top 20 Critical Controls for Effective Cyber Defense

6 Cloud computing overview

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

Cloud Computing Security Issues And Methods to Overcome

Fundamental Concepts and Models

TOP THREATS IN CLOUD COMPUTING

Safeguarding the cloud with IBM Dynamic Cloud Security

Effective End-to-End Cloud Security

Lecture 02b Cloud Computing II

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

IBM EXAM QUESTIONS & ANSWERS

Cloud Computing Standards: Overview and ITU-T positioning

Data Storage Security in Cloud Computing

Cloud Computing Security Issues

White Paper. Cloud Vademecum

Document: NIST CCSRWG 092. First Edition

FACING SECURITY CHALLENGES

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Transcription:

Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. 1

Essential Characteristics Broad Network Access Rapid Elasticity Resource Pooling Measured On-Demand Self- Software as a (SaaS) Models Platform as a (PaaS) Infrastructure as a (IaaS) Deployment Models Public Private Hybrid Community Figure 16.7 Computing Elements LAN switch Enterprise - User Router Network or Internet Router LAN switch service provider Servers Figure 16.8 Computing Context 2

Computing Reference Architecture w what cloud services provide, not a how to design solution and implementation. w facilitate the understanding of the operational intricacies in cloud computing. w It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference. Provider Consumer Auditor Security Audit Privacy Impact Audit Performance Audit Orchestration Layer PaaS IaaS SaaS Resource Abstraction and Control Layer Physical Resource Layer Hardware Facility Management Business Support Provisioning/ Configuration Portability/ Interoperability Security Privacy Broker Intermediation Aggregation Arbitrage Carrier Figure 16.9 NIST Computing Reference Architecture 3

provider (CP) Provider Can provide one or more of the cloud services to meet IT and business requirements of cloud consumers For each of the three service models (SaaS, PaaS, IaaS), the CP provides the storage and processing facilities needed to support that service model, together with a cloud interface for cloud service consumers For SaaS, the CP deploys, configures, maintains, and updates the operation of the software applications on a cloud infrastructure so that the services are provisioned at the expected service levels to cloud consumers For PaaS, the CP manages the computing infrastructure for the platform and runs the cloud software that provides the components of the platform, such as runtime software execution stack, databases, and other middleware components For IaaS, the CP acquires the physical computing resources underlying the service, including the servers, networks, storage, and hosting infrastructure carrier A networking facility that provides connectivity and transport of cloud services between cloud consumers and CPs Roles and Responsibilities broker auditor An independent entity that can assure that the CP conforms to a set of standards Useful when cloud services are too complex for a cloud consumer to easily manage Three areas of support can be offered by a cloud broker: intermediation Value-added services such as identity management, performance reporting, and enhanced security aggregation The broker combines multiple could services to meet consumer needs not specifically addressed by a single CP, or to optimize performance or minimize cost arbitrage A broker has the flexibility to choose services from multiple agencies 4

Security Risks and Countermeasures Abuse and nefarious use of cloud computing Countermeasures: stricter initial registration and validation processes; enhanced credit card fraud monitoring and coordination; comprehensive introspection of customer network traffic; monitoring public blacklists for one s own network blocks Malicious insiders Countermeasures: enforce strict supply chain management and conduct a comprehensive supplier assessment; specify human resource requirements as part of legal contract; require transparency into overall information security and management practices, as well as compliance reporting; determine security breach notification processes Risks and Countermeasures (II) Insecure interfaces and APIs Countermeasures: analyzing the security model of CP interfaces; ensuring that strong authentication and access controls are implemented in concert with encryption machines; understanding the dependency chain associated with the API Shared technology issues Countermeasures: implement security best practices for installation/ configuration; monitor environment for unauthorized changes/ activity; promote strong authentication and access control for administrative access and operations; enforce SLAs for patching and vulnerability remediation; conduct vulnerability scanning and configuration audits Data loss or leakage Countermeasures: implement strong API access control; encrypt and protect integrity of data in transit; analyze data protection at both design and run time; implement strong key generation, storage and management, and destruction practices 5

Risks and Countermeasures (III) w Account or service hijacking n Countermeasures: prohibit the sharing of account credentials between users and services; leverage strong two-factor authentication techniques where possible; employ proactive monitoring to detect unauthorized activity; understand CP security policies and SLAs w Unknown risk profile n Countermeasures: disclosure of applicable logs and data; partial/full disclosure of infrastructure details; monitoring and alerting on necessary information Governance Extend organizational practices pertaining to the policies, procedures, and standards used for application development and service provisioning in the cloud, as well as the design, implementation, testing, use, and monitoring of deployed or engaged services. Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle. Compliance Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives, particularly those involving data location, privacy and security controls, records management, and electronic discovery requirements. Review and assess the cloud provider s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements. Ensure that the cloud provider s electronic discovery capabilities and processes do not compromise the privacy or security of data and applications. Trust Ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time. Establish clear, exclusive ownership rights over data. Institute a risk management program that is flexible enough to adapt to the constantly evolving and shifting risk landscape for the lifecycle of the system. Continuously monitor the security state of the information system to support ongoing risk management decisions. Architecture Understand the underlying technologies that the cloud provider uses to provision services, including the implications that the technical controls involved have on the security and privacy of the system, over the full system lifecycle and across all system components. Table 16.3 NIST Guidelines on Security and Privacy Issues and Recommendations (page 1 of 2) Identity and access management Ensure that adequate safeguards are in place to secure authentication, authorization, and other identity and access management functions, and are suitable for the organization. Software isolation Understand virtualization and other logical isolation techniques that the cloud provider employs in its multi-tenant software architecture, and assess the risks involved for the organization. (Table can be found on Pages 514 515 in textbook) 6

Table 16.3 NIST Guidelines on Security and Privacy Issues and Recommendations (page 2 of 2) (Table can be found on Pages 514 515 in textbook) Data Protection in the w The threat of data compromise increases in the cloud w Database environments used in cloud computing can vary significantly n Multi-instance model l Provides a unique DBMS running on a virtual machine instance for each cloud subscriber l This gives the subscriber complete control over role definition, user authorization, and other administrative tasks related to n security Multi-tenant model l Provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier l Tagging gives the appearance of exclusive use of the instance, but relies on the CP to establish and maintain a sound secure database environment 7

Security as a (SecaaS) w The Security Alliance defines SecaaS as the provision of security applications and services via the cloud either to cloudbased infrastructure and software or from the cloud to the customers on-premise systems w SecaaS security services: Identity and access management Data loss prevention Web security E-mail security Security assessments Intrusion management Security information and event management Encryption Business continuity and disaster recovery Network security Encryption E-mail security Data loss prevention Security assessments Security information and event management Business continuity and disaster recovery Web security Intrusion management Identity and access management Network security service clients and adversaries Figure 16.11 Elements of Security as a 8

Summary computing Elements Reference architecture security risks and countermeasures Data protection in the cloud Security as a 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information