Upload
preston-oneal
View
217
Download
0
Embed Size (px)
Citation preview
OverviewOverview
AbstractVulnerability: An Overview Cloud ComputingCloud-Specific VulnerabilitiesArchitectural Components and VulnerabilitiesConclusion
Abstract
Blog
News
Gm
ail
Amazon
Google Map
Cloud Computing
Plurk
FacebookTwitter
Vulnerability: An OverviewISO 27005 defines risk as
“the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization”EX:DB Server SQL injectionEX:Sony PSN
Vulnerability: An OverviewDefining VulnerabilityAccording to the Open Group’s risk taxonomy, Vulnerability is the probability that an asset will be unable to resist the actions of a threat agent.EX: Intranet V.S. Extranet
Cloud ComputingCore Cloud Computing Technologies
Cloud ComputingEssential Characteristics of Cloud Computing
(NIST) description
On-demand self-service.Ubiquitous network access.Resource pooling.Rapid elasticity.Measured service.
Cloud-Specific VulnerabilitiesCore-Technology Vulnerabilities
virtual machine escapeEX:VM attack
session riding and hijackingEX: Cross-site Request Forgery
insecure or obsolete cryptography.EX:Password attack
Cloud-Specific VulnerabilitiesEssential Cloud Characteristic Vulnerabilities
Unauthorized access to management interface.EX: Azure management
Internet protocol vulnerabilities.EX: Scan Host Protocol
Data recovery vulnerability.EX: Natural disasters
Metering and billing evasion.EX: Pay Money
Cloud-Specific VulnerabilitiesDefects in Known Security Controls - IaaS
virtualized networks offer insufficient network-based controls.
EX: vulnerability scanning is invalid
poor key management procedures.EX: many different kinds of keys
security metrics aren’t adapted to cloud infrastructures.EX: cloud customers can’t monitor resources
Architectural Components and Vulnerabilities
Architectural Components and Vulnerabilities
Cloud Software Infrastructure and Environment -PaaS
a development and runtime environment EX: more supported languages; storage services
EX: database interface communication infrastructure
EX: Azure AppFabric Service Bus
Architectural Components and Vulnerabilities
Computational Resources
concerns how virtual machine images are handledEX: VM is not a Free ResourcesEX: image can be taken from an untrustworthy source
Architectural Components and Vulnerabilities
Storage
obsolete cryptography and poor key managementEX: physical disk destruction can’t be carried out
Architectural Components and Vulnerabilities
Communication
vulnerabilities of shared network infrastructure components
Architectural Components and Vulnerabilities
Cloud Web Applications
an application component operated somewhere in the cloud.a browser component running within the user’s browser.
EX: session riding and hijacking vulnerabilities and injection vulnerabilities.
Architectural Components and Vulnerabilities
Services and APIs
application URL would only give the user a browser component
Architectural Components and Vulnerabilities
Management Access
management access is often realized using a Web application or service
Architectural Components and Vulnerabilities
Identity, Authentication, Authorization,and Auditing MechanismsDenial of service by account lockout.
EX: Lock AccountWeak credential-reset mechanisms.
EX: not using federated authenticationInsufficient or faulty authorization checks.
EX: root cause of URL-guessing attacksCoarse authorization control.
EX: duty separationInsufficient logging and monitoring possibilities.
EX: no standards to logging and monitoring
Architectural Components and Vulnerabilities
Provider
users’ inability to control cloud infrastructure
Conclusion
Cloud computing is in constant development
Any Question?