Cloud Computing : Top to Bottom

Cloud Computing:Security and Privacy

Prepared byIstiyak Hossain Siddiquee2009331009

Supervised byDr. Mohammed Jahirul Islam

Associate Professor

Dept. of Computer Science & EngineeringShahjalal University of Science & Technology

Sylhet, Bangladesh.

“Cloud Computing is an important transition, a paradigm shift in IT services delivery - one that has broad impact and can present significant challenges. “

---"Cloud Computing: Considerations and Next Steps", published by Intel

“It's stupidity. It's worse than stupidity. It's a marketing hype campaign.”

---Richard Stallman, President, Free Software Foundation

An IT model or computing environment composed of IT components (hardware, software, networking, and services) as well as the processes around the deployment of these elements that together enable us to develop and deliver cloud services via the Internet or a private network.

--- Securing the Cloud, Winkler Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services).

--- Security Guidance for Critical Areas of Focus in Cloud Computing v3.0,By Cloud Security Alliance, CSA

Cloud computing is an evolution in which IT consumption and delivery are made available in a self–service fashion via the Internet or internal network, with a flexible pay-as-you-go business model and requires a highly efficient and scalable architecture.

--- Cloud Computing: Considerations and Next Steps, Intel

“Cloud Computing refers to both the applications delivered as services over Internet and the hardware and systems software in the datacenters that provide those services.”

Above the Clouds A Berkeley View on Cloud Computing,University of California Berkeley

“A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

National Institute of Standard and Technology (NIST)

Why Cloud

Source: IT PRO Cloud Survey By Microsoft TechNet Cloud Power

Source: The Future of Cloud Computing 3rd Annual Survey 2013 by NorthBridge and Gigaom

Source: 2013 Outlook on Technology, a survey conducted by PCConnection

Source: Leveraging the cloud for law enforcement Survey Result

IACP, SafeGov, January 31, 2013

Essential Characteristics of Cloud Computing According to NIST

On-demand Self Service Broad network access Resource pooling Rapid elasticity Measured service

• Cost containment• Innovation speed

• Availability• Scalability• Efficiency• Elasticity

Schweizerische Akademie der Technischen Wissenschaften (SATW)

Efficiency Scalability Elasticity Availability Agility Recovery No upfront

cost Pay as you go Innovation

speed

So, the attractive points of cloud computing are

Cloud Service Delivery Model

defined by NIST

Source: 2013 Outlook on Technology, PC Connection Survey

Source: IT PRO Cloud Survey By Microsoft TechNet Cloud Power

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

----According to NIST

provides virtual machines and other abstracted hardware and operating systems which may be controlled through a service API.

----According to ENISA

delivers computer infrastructure (typically a platform virtualization environment) as a service, along with raw storage and networking. Rather than purchasing servers, software, data-center space, or network equipment, clients instead buy those resources as a fully outsourced service.

----According to CSA

IaaS

Source: Schweizerische Akademie der Technischen Wissenschaften (SATW)

Examples of IaaS

Amazon EC2

Eucalyptus CSC GoGrid IBM OpenStack Rackspace Savvis Terremark VMWare

PaaS The capability provided to the consumer is to deploy onto the cloud

infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.


allows customers to develop new applications using APIs deployed and configurable remotely. The platforms offered include development tools, configuration management, and deployment platforms.


the delivery of a computing platform and solution stack as a service. PaaS offerings facilitate deployment of applications without the cost and complexity of buying and managing the underlying hardware and software and provisioning hosting capabilities. This provides all of the facilities required to support the complete life cycle of building and delivering web applications and services entirely available from the Internet.



Examples of PaaS

Google App Engine

Windows Azure Force.com Engine Yard AT&T Synaptic Boomi Citrix Red Hat

OpenShift Heroku AppFog Amazon AWS Caspio

SaaS

The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings.


is software offered by a third party provider, available on demand, usually via the Internet configurable remotely.


a software delivery model in which software and its associated data are hosted centrally (typically in the (Internet) cloud) and are typically accessed by users using a thin client, normally using a web browser over the Internet.



Web Mail Google Docs Facebook Salesforce LinkedIn Workday Netsuite ServiceNow Athenahealth Medidata Cornerstone

OnDemand

Examples of SaaS

Cloud Deployment Models

Among these models, which one is more popular ??

Source The Future of Cloud Computing, 3rd Annual Survey 2013 by NorthBridge and Gigaom

PC Connection CC Survey 2013 Results

Public Cloud

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them.

---- According to NIST

The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.


public cloud refers to solutions where resources are dynamically provisioned over the Internet from an offsite third-party provider who shares resources and bills on a fine-grained utility computing basis.

----According to Ajilitee

Amazon Elastic Compute Cloud (EC2)

IBM’s Blue Cloud SunCloud Google AppEngine Windows Azure Services

Platform

Examples of Public Cloud

Private Cloud

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

--- According to NIST The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premise or off-premise.

--- According to CSA

Amazon Virtual Private Cloud

IBM SmartCloud Foundation Microsoft Private Cloud Cisco Private Cloud

solutions VMware Private Cloud

Computing Dell Cloud Solutions Rackspace Private Cloud Citrix CloudPlatform

Examples of Private Cloud

Hybrid Cloud

The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds).

This cloud overlaps to grid to some extent. Several organizations with similar concerns about mission, security requirements, policy, and compliance considerations in a private community share cloud infrastructure.

The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or by a third party and may be located on premise or off-premise.

--- According to CSA

Community Cloud

Source: Luth research and Vanson Bourne, 2013

2013 Outlook on Technology Cloud Computing Survey Results by PC Connection

Are these survey results exaggerated ?

Let’s review this survey result...

Cloud Computing Vulnerability Incidents A Statistical Overview, by CSA

American information technology research and advisory firm Gartner have identified seven cloud computing risks. These are:

Privileged user access

Regulatory compliance

Data location Data segregation Recovery Investigative

support Long term viability

In 2013, CSA released a worth mentioning document with a title “The Notorious Nine: Cloud Computing Top Threats in 2013”. Here they idenfied nine security problem as top threat for the year 2013

Data Breaches Data Loss Account Hijacking Insecure APIs Denial of Service Malicious Insiders Abuse of Cloud

Services Insufficient Due

Diligence Shared Technology

Issues

So we can classify these threats into these categories

Confidentiality and Privacy

Availability Integrity Auditability and

Forensics Other Issues

Let us get through these point...

Confidentiality and Privacy

While considering cloud computing security, one word that comes most often is confidentiality of data. Privacy is also related to confidentiality as because revealation of a confidential data means the violation of privacy. Confidentiality and privacy leakages can occur in two wasys:

Loosing control over data Customers often become anxious about their data confidentiality, this is because of losing control over data. when they host their classified information to cloud they usually lose the control over their data, though they have the authorization to access data.

Privacy and Confidentiality Compromised One of the most common threat to computing technology as well as cloud computing technology is “compromise”. To describe this in detail we will sub-divide this point.

Threats from Insider There are two types of threat here.

Firstly, from a current or former employee, contractor, or other business partner who has or had authorized access to an

organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.

Secondly, from the company itself. What if the company is running a Cheap Data Mining process on your confidential data ? Or even they can espoinage on your data.

Threats from Outsider There are the threats that make companies worried. There can be many types of threat from outsider. These are

Cloud malware injection attack

Account or service hijacking

VMWare Secuirty Problem

Flooding Attacks Data Security Hypervisor

Vulnerability Shared Resources Issue Compliance

Cloud malware injection attack A research paper described this type of attack. They said, an attacker first attempts to inject malware service implementation of virtual machine into the cloud system. This instance then serves several purposes ranging from eavesdropping via subtle data modification to full functonality changes or blockings. Attacker may also apply sql injection, cross site scripting attacks to acquire sensitive data.

Account or service hijacking Account or service hijacking is not new. Attack methods such as phishing, fraud, and exploitation of software vulnerabilities still achieve results. Cloud solutions add a new threat to the landscape. If an attacker gains access to your credentials, they can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. Your account or service instances may become a new base for the attacker.

VMWare Secuirty Problem Recent researches show that it is possible to locate a clients’ physical address on cloud precisely. So an attacker can use those algothims to locate a consumer and gather intelligence about his classified data in cloud. Again, another research showed that it is possible to place attacker’s virtual machine beside the victim’s virtual machine, physically and then create a side channel between both the machines which can enable the attacker to steal password information by initiating SSH keystroke timing attack.

Flooding Attacks It consists of DoS (Denial of Service), DDoS, and EDoS. It is a very old problem in computer technology and hence for cloud computing also, which basically consists in an attacker sending a huge amount of nonsense requests. As each of these requests need to be identified as nonsese some computation power is required to face such attacks. Thus sometimes the server doesn’t response in time that is it Denies of Service. Sometimes attacker attacks the cloud using botnets which we call Distributed Denial of service. It is much harder to tackle as there are huge amount of nonsense request at a time. There is another sort of DoS, this is called EDoS. In this, attacker attacks the billing system of a cloud service provide with an attemp to make the CSP a bankrupt.

Data Security Data can be hijacked while it is in transit. This problem is trivial actually. We may encrypt the data or secure the connection between browser and server.

Hypervisor Vulnerability Hypervisor is a critical piece of virtualized cloud infrastructure that provide the software layer that sits between the hardware and VMs and allows multiple VMs to share a single hardware platform. Not surprisingly, hypervisor vulnerabilities are a major source of concern for IT professionals. If a hypervisor is vulnerable to security attacks, then the integrity of the entire public or private cloud implementation is at serious risk.

Shared Resources Issues Sharing of resources arise some critical problems of unwanted data privacy leakages. This is because data remanence in an multi-tenant hardware implementation.

Another example of shared resources vulnerability is Reputaion Fate Sharing

Compliance From the former NSA Agent Edward Snowden we came to know that under long disputed PRISM Act, USA’s organization, National Security Agency (NSA) had been able to access the emails, Facebook accounts and videos of citizens across the world. Even, it had secretly acquired the phone records of millions of Americans and other important persons of the world like Angela Merkel etc. Through a secret court, it has been able to bend nine US internet companies to its demands for access to their users' data.

Availability

Integrity

Auditability & Forensics

Other Issues

Accidental Data Loss Insecure API Abuse of Cloud (DoS Attack Using

Cloud)

Future.....

Education

Cloud Computing : Top to Bottom