The Security and Privacy Threats to Cloud Computing

Introduction to Cloud ComputingIn-depth Security Analysis for Cloud Computing [2]

Project for Trustworthy Cloud Computing and ConclusionBibliography

The Security and Privacy Threats

toCloud Computing

Ankit SinghFrankfurt am Main, Germany

April 23, 2012

Ankit Singh The Security and Privacy Threats to Cloud Computing



1 Introduction to Cloud ComputingCloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing

2 In-depth Security Analysis for Cloud Computing [2]Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud

3 Project for Trustworthy Cloud Computing and ConclusionThe TClouds ProjectConclusion of the Talk

4 Bibliography




Cloud Computing ExampleThree Cloud Service ModelsThreats to Cloud Computing

Quick Introduction to Cloud Computing I

“Cloud computing is a term from information technology (IT) andmeans that software, memory capacity and computer power can beaccessed via a network, for instance, the Internet or within aVirtual Private Network (VPN), as and when it is needed.The IT landscape (e.g. data processing centre, data storagefacilities, e-mail and collaboration software, developmentenvironments and special software such as Customer RelationshipManagement [CRM]) is no longer owned and run by the companyor institution, but is a service which can be rented from one ormore cloud service providers” [1]





Cloud Computing Example I

Figure: Cloud Computing Example (adapted from wikipedia)





Three Cloud Service Models [1] [2] I

Software as a Service (SaaS): Users as consumers.e.g. Accounting, collaboration tools, CRM etc.

Platform as Service (PaaS): Data processing services.e.g Google App Engine and Microsoft Azure Platform.

Infrastructure as Service (IaaS): Hosting services.e.g webspaces like Amazon EC2, Go Daddy etc.

- The Cloud Computing Service models viewed as layers in samesequence shown above.- These models are deployed on top of cloud infrastructure asdefined by NIST’s [3].





List of Threats to Cloud Computing [4] I

1 Abuse of Cloud computing: Effected Services:- Iaas, PaaS:- Absuing service due to anonymity due to loose registrationand validation process.- Adversaries usage the models for spamming, writingmalicious code etc.

2 Insecure Interfaces and APIs: Effected Services:-IaaS, Paas, SaaS:- Interfaces or APIs provided by service providers to customersto manage and interact with cloud services.- The security and availability of cloud services is dependentupon the security of these basic API’s.- Interfaces must be designed to protect against accidentaland malicious attempts to mislead the policy.





List of Threats to Cloud Computing [4] II

3 Malicious Insiders: Effected Services:- Iaas, Paas, SaaS:- An adversary can harvest confidential data or gain completecontrols over cloud services depending on the level of access.

4 Shared Technology Issues: Effected Services:- IaaS:- The disk partitions, CPU caches and GPUs and other sharedelements were never designed for strongcompartmentalization.- A virtualization hypervisor addresses this gap whichmediates access between guest operating systems and physicalcompute resources.- The hypervisors have the flaw which may result in gaininginappropriate levels of control or influence on the underlyingplatform.





List of Threats to Cloud Computing [4] III

5 Data Loss or Leakage: Effected Services:- IaaS, PaaS, SaaS:- Deletion or alteration of records without a backup of theoriginal content.- Unlinking a record from a larger context may render itunrecoverable.- Unauthorized parties must be prevented from gaining accessto sensitive data.- Examples: Insufficient authentication, authorization andaudit (AAA) controls





List of Threats to Cloud Computing [4] IV

6 Account or Service Hijacking: Effected Services:-IaaS, PaaS, SaaS:- Attack methods such as phishing, fraud and exploitation ofsoftware vulnerabilities still achieve results. Credentials andpasswords are often reused.

7 Unknown Risk Profile: Effected Services:- IaaS, PaaS, SaaS:- Versions of software, code updates, security practices,vulnerability profiles, intrusion attempts are the factors forestimating company’s security posture.- Some questions which need to addressed like how data andrelated logs are stored and who has access to them? whatinformation may be disclosed in case of security breach? etc.




Security weakness in Cloud ComputingData protection requirements for cloud computing servicesGovernment and the Cloud

Security weakness in Cloud Computing I

Cloud Providers fail to provide encryption to their users:- Cloud service providers not providing encrypted access totheir Web applications

Man in the middle attacks:-Attackers redirects traffic between a client and a serverthrough him.- Achieved by forging DNS packets, DNS cache poisoning, orARP spoofing.- Prevention: DNSSEC and HTTPS/TLS are twotechnologies which can prevent this attack.





Security weakness in Cloud Computing II

Data encryption caveats:- Where will the encryption key be stored?- Where will the encryption and decryption processes beperformed?

User interface attacks:- A Web browser is used for accessing Web applications. Thus,browser’s user interface becomes an important security factor.- Example: An attacker tries to fool the user into thinkingthat she is visiting a real website instead of a forgery.Techniques used here include fake HTTPS lock icons.





Research Recommendations by ENISA [5] I

Research recommendations by European Network and InformationSecurity Agency (ENISA):

Building Trust in the Cloud:Certification processes and standards for clouds: COBIT (52),ITIL (53) etc.Metrics for security in cloud computingEffects of different forms of reporting breaches on securityIncreasing transparency while maintaining appropriate levels ofsecurityEnd-to-end data confidentialityExtending cloud-based trust to client-based data andapplications

Data Protection in Large-Scale Cross-OrganizationalSystems:





Research Recommendations by ENISA [5] II

Data destruction and lifecycle managementIntegrity Verification - of backups and archives in the cloudand their version managementForensics and evidence gathering mechanismsIncident resolution and rules of evidenceInternational differences in relevant regulations, including dataprotection and privacy i.e legal means to facilitate the smoothfunctioning of multi-national cloud infrastructures.

Lage-Scale Computer Systems Engineering:Security in depth within large-scale distributed computersystemsSecurity services in the cloud i.e adaptation of traditionalsecurity perimeter control technologies to the cloud like HSM,web filters, firewalls, IDS etc.





Research Recommendations by ENISA [5] III

Resource isolation mechanisms - data, processing, memory,logs, etc.Interoperability between cloud providersPortability of VM, data and VM security settings from onecloud provider to another (to avoid vendor lock-in), andmaintaining state and session in VM backups.Standardization of interfaces to feed data, applications andwhole systems to the cloud.Resource (bandwidth and CPU, etc) provisioning andallocation at scale (elasticity)Scalable security management (policy and operatingprocedures) within cloud platforms





Government and the Cloud [2] I

United States: One of the most important legal tools usedby the U.S. Government to force cloud providers to handthem users’ private data is the third-party doctrine. Otherrelevant laws include the Wiretap Act, the All Writs Act andthe Foreign Intelligence Surveillance Act.Example: Facebook can provide complete profile informationand uploaded photos to law enforcement irrespective of herprivacy





Government and the Cloud [2] II

Germany: §§111 and 112 of the 2004 TelecommunicationsAct (Telekommunikationsgesetz in German) allow thegovernment to force telecommunication service providers(which include cloud service providers like webmail) to handover information such as a customer’s name, address,birthdate, and email address, without a court order, throughan automated query system that includes a search function incase law enforcement has incomplete request data.Example: court-ordered surveillance in Germany is the JavaAnonymous Proxy (JAP), which is an open source softwarefor anonymously browsing websites.




The TClouds ProjectConclusion of the Talk

The TClouds Project I

Trustworthy Clouds - TClouds is a European Commission fundedproject.GOAL: To develop a trustworthy cloud computing infrastructure,which enables a comprehensible and audit proof processing ofpersonal or otherwise sensitive data in a cloud without limiting thesolution to just a physically separated private cloud [6].Target Scenarios:

Energy Sector: Potugal’s leading energy supplier Energias dePortugal (EDP) and electronics company EFACEC in field ofsmart power grid

Healthcare Sector: Italian hospital San Raffaele in Milano





The TClouds Project II

Techinical Implementation: Focuses on communicationprotocols between different cloud service providers, new opensecurity standards, APIs and effective management components forcloud security.





Conclusion I

Cloud computing is a upcoming field due to attractive servicesprovided by cloud computing service providers.

Privacy and data security are the biggest challenges when itcomes to storing and processing critical business or personaldata in a cloud.

There are many challenges that we can only face if weunderstand what we are dealing with, how it may a affect usand which possible solutions exist.

We must convince cloud providers and users of theimportance of implementing available security technologies.





Conclusion II

The requirements of national and international dataprotection laws are a major concern. As a consequence, thisleads to a stronger market growth of just so-called private andcommunity clouds which are aligned more to the specificrequirements of single customers or a narrowly defined usergroup.

The data which are sensitive and private should be avoided toput on the cloud due to current security threats.




Bibliography I

SWISS - Guide to cloud computing, Federal Data Protection and Information Commissioner FDPIC.

Security, Privacy and Cloud Computing, Jose Tomas Robles Hahn, Future Internet Seminar - Winter Term

2010/2011, Chair for Network Architectures and Services, Faculty of Computer Science, TechnischeUniversitat Munchen.

National Institute of Standards and Technology, U.S. Department of Commerce, Guidelines on Securtiy and

Privacy in Public Cloud Computing, Wayne Jansen, Timothy Grance.

Top Threats to Cloud Computing 2010, Prepared by the Cloud Security Alliance, March 2010

Cloud Computing, Benefits, risks and recommendations for information security, European Network and

Information Security Agency.

Trustworthy Clouds (TClouds) - Privacy meets Innovation by Eva Schlehahn and Marit Hansen,

Independent Centre for Privacy Protection Schleswig-Holstein, Germany.

Cloud security alliance (CSA) https://cloudsecurityalliance.org/ Last Access: April 23, 2012


https://cloudsecurityalliance.org/