• Home

  • Documents

  • Threats, Vulnerabilities, and Security Controls in Cloud Computing ·  · 2013-03-11This project...
1
CERIAS The Center for Education and Research in Information Assurance and Security Hans Vargas Silva, Temitope Toriola, and Melissa Dark This project is a comparison of Cloud Computing Security policies. We ex- plored threats, vulnerabilities, and controls in cloud computing, to gain a deeper understanding of cloud storage, accessibility, security, and threats. We examined security control models of three major cloud providers (Windows Azure, Google Drive, and Amazon Web Services S3). 2 34 35 38 39 53 x x x x x x x x x x x x x TO1 Script Kiddie x x x x x x x x x x x x x x x x x x x x TO2 Criminals x x x x x x x x x x x x x x x x x x x x x x x TO3 Na on State AC IA AC IR SC IA SC IA SC IA SC IA SC SA SC IR SC SA ACAC SC SC SC 3 1 2 4 2 6 12 6 12 6 12 4 12 2 4 8 6 2 1 3 2 5 3 14 2 7 7 13 7 13 7 13 7 13 7 5 6 5 27 5 Vulnerabili es Security Controls 6 8 9 11 10 1 18 28 CONTROLS CATEGORIZATION Access Control (AC) Awareness and Training (AT) Audit and Accountability (AU) Assessment and Authorization (CA) Configuration Management (CM) Contingency Planning (CP) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Physical and Environmental Protection (PE) Planning (PL) Personnel Security (PS) Risk Assessment (RA) System and Services Acquisition (SA) System and Communications Protection (SC) System and Information Integrity (SI) SELECTED VULNERABILITIES (SAAS) V1. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING VULNERABILITIES V2. USER PROVISIONING VULNERABILITIES V6. LACK OF RESOURCE ISOLATION V8. COMMUNICATION ENCRYPTION VULNERABILITIES V9. LACK OF OR WEAK ENCRYPTION OF ARCHIVES AND DATA IN TRANSIT V10. IMPOSSIBILITY OF PROCESSING DATA IN ENCRYPTED FORM V11. POOR KEY MANAGEMENT PROCEDURES V18. POSSIBILITY THAT CO-RESIDENCE CHECKS WILL BE PERFORMED V28. NO POLICIES FOR RESOURCE CAPPING V34. UNCLEAR ROLES AND RESPONSIBILITIES V35. POOR ENFORCEMENT OF ROLE DEFINITIONS V38. MISCONFIGURATION V39. SYSTEM OR OS VULNERABILITIES V53. INADEQUATE OR MISCONFIGURED FILTERING RESOURCES Threats, Vulnerabilities, and Security Controls in Cloud Computing

Threats, Vulnerabilities, and Security Controls in Cloud Computing ·  · 2013-03-11This project is a comparison of Cloud Computing Security policies. We ex-plored threats, vulnerabilities,

Embed Size (px)

Citation preview

Page 1: Threats, Vulnerabilities, and Security Controls in Cloud Computing ·  · 2013-03-11This project is a comparison of Cloud Computing Security policies. We ex-plored threats, vulnerabilities,

CERIASThe Center for Education and Research in Information Assurance and Security

Hans Vargas Silva, Temitope Toriola, and Melissa Dark

This project is a comparison of Cloud Computing Security policies. We ex-plored threats, vulnerabilities, and controls in cloud computing, to gain a deeper understanding of cloud storage, accessibility, security, and threats.

We examined security control models of three major cloud providers (Windows Azure, Google Drive, and Amazon Web Services S3).

2 34 35 38 39 53x x x x x x x x x x x x x TO1 Script Kiddiex x x x x x x x x x x x x x x x x x x x TO2 Criminalsx x x x x x x x x x x x x x x x x x x x x x x TO3 Nation State

AC IA AC IR SC IA SC IA SC IA SC IA SC SA SC IR SC SA AC AC SC SC SC3 1 2 4 2 6 12 6 12 6 12 4 12 2 4 8 6 2 1 3 2 5 3

14 2 7 7 13 7 13 7 13 7 13 7 5 6 5 27 5

Vulnerabilities

Security Controls

6 8 9 11101 18 28

CONTROLS CATEGORIZATIONAccess Control (AC)Awareness and Training (AT)Audit and Accountability (AU)Assessment and Authorization

(CA)Configuration Management

(CM)Contingency Planning (CP)Identification and Authentication

(IA)Incident Response (IR)Maintenance (MA)

Media Protection (MP)Physical and Environmental

Protection (PE)Planning (PL)Personnel Security (PS)Risk Assessment (RA)System and Services Acquisition

(SA)System and Communications

Protection (SC)System and Information Integrity

(SI)

SELECTED VULNERABILITIES (SAAS)V1. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING VULNERABILITIESV2. USER PROVISIONING VULNERABILITIESV6. LACK OF RESOURCE ISOLATIONV8. COMMUNICATION ENCRYPTION VULNERABILITIESV9. LACK OF OR WEAK ENCRYPTION OF ARCHIVES AND DATA IN TRANSITV10. IMPOSSIBILITY OF PROCESSING DATA IN ENCRYPTED FORMV11. POOR KEY MANAGEMENT PROCEDURESV18. POSSIBILITY THAT CO-RESIDENCE CHECKS WILL BE PERFORMEDV28. NO POLICIES FOR RESOURCE CAPPINGV34. UNCLEAR ROLES AND RESPONSIBILITIESV35. POOR ENFORCEMENT OF ROLE DEFINITIONSV38. MISCONFIGURATIONV39. SYSTEM OR OS VULNERABILITIESV53. INADEQUATE OR MISCONFIGURED FILTERING RESOURCES

Threats, Vulnerabilities, and Security Controls in Cloud Computing

CompTIA Security+ Detailed Mapping - …...2.0 Compliance and Operational Security 18% 5.0 Risk Management 14% 3.0 Threats and Vulnerabilities 20% 1.0 Threats, Attacks and Vulnerabilities

CompTIA Security+ Detailed Mapping - …...2.0 Compliance and Operational Security 18% 5.0 Risk Management 14% 3.0 Threats and Vulnerabilities 20% 1.0 Threats, Attacks and Vulnerabilities

Documents
MNE 7 Space: Dependencies, Vulnerabilities and Threats · develop an understanding of their own dependencies. Chapter 4 then describes the generic vulnerabilities, hazards and threats

MNE 7 Space: Dependencies, Vulnerabilities and Threats · develop an understanding of their own dependencies. Chapter 4 then describes the generic vulnerabilities, hazards and threats

Documents
Information Assurance: vulnerabilities, threats, and controls

Information Assurance: vulnerabilities, threats, and controls

Documents
Threats, Vulnerabilities, and Risks

Threats, Vulnerabilities, and Risks

Documents
Recent Security Threats & Vulnerabilities Computer security

Recent Security Threats & Vulnerabilities Computer security

Documents
December 2010 Managing Vulnerabilities and Threats (No, Anti-Virus

December 2010 Managing Vulnerabilities and Threats (No, Anti-Virus

Documents
CYBERSECURITY: EMERGING THREATS, VULNERABILITIES, AND

CYBERSECURITY: EMERGING THREATS, VULNERABILITIES, AND

Documents
SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES

SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES

Documents
Mobile Threats 2013: Android Malware & Vulnerabilities

Mobile Threats 2013: Android Malware & Vulnerabilities

Documents
Too Young to be Secure: Analysis of UEFI Threats and Vulnerabilities · 2017. 11. 29. · Analysis of UEFI Threats and Vulnerabilities Anton Sergeev Vladimir Bashun Vector Minchenkov

Too Young to be Secure: Analysis of UEFI Threats and Vulnerabilities · 2017. 11. 29. · Analysis of UEFI Threats and Vulnerabilities Anton Sergeev Vladimir Bashun Vector Minchenkov

Documents
Mobile Threats 2013: Android Malware & Vulnerabilities Robert Lipovsky lipovsky@eset.sk

Mobile Threats 2013: Android Malware & Vulnerabilities Robert Lipovsky [email protected]

Documents
Threats, Vulnerabilities, and Attacks

Threats, Vulnerabilities, and Attacks

Documents
Changing State of Threats and Vulnerabilities FIRMA March 30, 2010

Changing State of Threats and Vulnerabilities FIRMA March 30, 2010

Documents
Threats and Vulnerabilities. Objectives Define Threats and Vulnerabilities Different types of threats Examples How you get infected What can be done with

Threats and Vulnerabilities. Objectives Define Threats and Vulnerabilities Different types of threats Examples How you get infected What can be done with

Documents
Vulnerabilities and Threats in Distributed Systems *

Vulnerabilities and Threats in Distributed Systems *

Documents
Threats, Vulnerabilities & Security measures in Linux

Threats, Vulnerabilities & Security measures in Linux

Education
THE STATE OF SAP SECURITY 2013: VULNERABILITIES, THREATS AND TRENDS

THE STATE OF SAP SECURITY 2013: VULNERABILITIES, THREATS AND TRENDS

Documents
INTERNET INSECURITY - profsandhu.com · © Ravi Sandhu 2000-2004 5 THREATS, VULNERABILITIES ASSETS AND RISK THREATS are possible attacks VULNERABILITIES are weaknesses ASSETS are

INTERNET INSECURITY - profsandhu.com · © Ravi Sandhu 2000-2004 5 THREATS, VULNERABILITIES ASSETS AND RISK THREATS are possible attacks VULNERABILITIES are weaknesses ASSETS are

Documents
Vulnerabilities, Threats, Attacks, and Controls 11 … · Vulnerabilities, Threats, Attacks, and Controls . coml . A computer-based system has three separate but valuable components:

Vulnerabilities, Threats, Attacks, and Controls 11 … · Vulnerabilities, Threats, Attacks, and Controls . coml . A computer-based system has three separate but valuable components:

Documents
Risks threats and vulnerabilities

Risks threats and vulnerabilities

Software
Analysis of Network Security Threats and Vulnerabilities ...832701/FULLTEXT01.pdf · Analysis of Network Security Threats and Vulnerabilities by Development & Implementation of a

Analysis of Network Security Threats and Vulnerabilities ...832701/FULLTEXT01.pdf · Analysis of Network Security Threats and Vulnerabilities by Development & Implementation of a

Documents
30. IT Security: Threats, Vulnerabilities and Countermeasures (PPT)

30. IT Security: Threats, Vulnerabilities and Countermeasures (PPT)

Documents
Threats, Vulnerabilities, and Attacks · 2014-03-25 · Threats There are four primary classes of threats to network security: Unstructured threats— Unstructured threats consist

Threats, Vulnerabilities, and Attacks · 2014-03-25 · Threats There are four primary classes of threats to network security: Unstructured threats— Unstructured threats consist

Documents
C hapert Threats, Attacks, and Vulnerabilities

C hapert Threats, Attacks, and Vulnerabilities

Documents
Rethinking borderlines: Exploring borderland threats and vulnerabilities

Rethinking borderlines: Exploring borderland threats and vulnerabilities

Documents
INFORMATION ASSURANCE: TRENDS IN VULNERABILITIES, THREATS, AND

INFORMATION ASSURANCE: TRENDS IN VULNERABILITIES, THREATS, AND

Documents
Overcoming Security Threats and Vulnerabilities in SharePoint

Overcoming Security Threats and Vulnerabilities in SharePoint

Software
Security fundamentals Topic 1 Addressing security threats and vulnerabilities

Security fundamentals Topic 1 Addressing security threats and vulnerabilities

Documents
Threats & Vulnerabilities in Online Social Networks · Threats & Vulnerabilities in Online Social Networks Lei Jin LERSAIS Lab @ School of Information Sciences ... based social authentication

Threats & Vulnerabilities in Online Social Networks · Threats & Vulnerabilities in Online Social Networks Lei Jin LERSAIS Lab @ School of Information Sciences ... based social authentication

Documents
Chapter 6 Threats and vulnerabilities. Overview Threat model Agents Actions Vulnerabilities 2

Chapter 6 Threats and vulnerabilities. Overview Threat model Agents Actions Vulnerabilities 2

Documents