PRESENTED BY : IBTISSAM ENNAJJAR

Cloud Computing Security

Café scientifique’’13/11/2015

Overview

Definition

Characteristics

Advantages & Drawbacks

Security Problem

Security Risks

Security Threats

Cloud

Computing

Cloud

Security

Introduction

Architecture

Hypervisor

VMVM

Hypervisor

VMVM

Hypervisor

VMVM

Cloud Service APIDeployer

DevOps

Private Network

Cloud operations

Cloud service provider

Customer Enterprise EnterpriseAttacker

Internet Private Network

DC ops

Delivery Models

Deployment Models

Advantages and Disadvantages ?

Greater efficiency

Increased flexibility

Scalability

A way to deal with

lack of technical

expertise

Lower computing

costs

Security concerns

Privacy

International Issues

Loss of local control

Requires constant

high-speed Internet

access

Security Problem

• In 2007, Salesforce.com leaked customer contact lists after anemployee revealed the list to a phisher, and in turn allowed scammersto target phishing attacks against Salesforce customers.

• Google revealed in June 2011 that hackers from China stolepasswords and attempted to break into email accounts to stealinformation.

• In April 2011, Sony was involved in a massive security blunder thatpotentially gave away 100 million credit card numbers. Hackersclaimed to have stolen millions of credit card numbers from Sony’sPlayStation Network.

• Hotmail and Yahoo Mail users were also targeted in phishing attacks.The attacks involved a user either clicking a malicious link in the emailor even viewing the email itself which would then run malicious codeand attempt to compromise the user’s account.

What are the Major Threats in Cloud?

Data Breaches

Insecure APIs

Data Loss

Data Loss

Denial of Service

Account/Service Hijacking

Malicious Insider

Shared technology

Shared Technology Issues

Hypervisor

VMVM

Hypervisor

VMVM

Hypervisor

VMVM

Customer A Customer BAttacker

VMVM VMVM

Malicious Insider

Hypervisor

VMVM

Hypervisor

VMVM

Hypervisor

VMVM

Cloud Service APIDeployer

DevOps

Private Network

Cloud operations

Cloud service provider

Cloud Service API

Denial of Service

Hypervisor

VMVM

Hypervisor

VMVM

Hypervisor

VMVM

Cloud Service API

Cloud service provider

EnterpriseAttackerInternet

Cloud Service API

VM

Insecure Interfaces and APIs

Week TLS crypto (use of HTTP instead of HTTPS).

Incomplete verification of encrypted content.

Account or Service Traffic Hijacking

Account Hijacking: Unauthorized access to anaccount

Week passwords

Stolen passwords (by network, machines...)

Password reuse

Cloud use may result unmanaged credentials

Publically accessible applications/services may allowfor brute forcing

Applies to cloud provider : cloud supportinfrastructure is a back door

Data Loss

There are multiple ways to lose data:

customer accidentally deletes or modifies it (by mistake)

attacker deletes or modifies it (cryptolocker)

cloud provider accidentally deletes it

natural disaster destroys datacenter

• Backup matter

• Tombstomp

Data Breaches

Represents a collection of threats:

Insider threat, vulnerability in shared technology, etc.

• Ultimatly, a company’s main asset is its data

• How does a company ensure its data is protected in the case of successful breach?

Need to look at the threats individually...

Summary & Discussion

Thank You For Your Attention