On technical security issues in cloud computing
description
Transcript of On technical security issues in cloud computing
![Page 1: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/1.jpg)
On Technical Security Issues in Cloud Computing
Presented by:
Sashikanta Taorem1RV09SCS16
M.Tech – CSE, 2nd Semester
![Page 2: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/2.jpg)
Outline
• Introduction
• Literature Survey
• Cloud computing security issues
• Conclusion and Future works
![Page 3: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/3.jpg)
Introduction
• What is Cloud Computing?
• Security concerns in Cloud Computing.
![Page 4: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/4.jpg)
What is Cloud Computing?
• C - Common Platform
• L – Location Independent
• O – Online Services
• U – Utility
• D – On Demand
![Page 5: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/5.jpg)
Cloud Layers and Access Technology
• SaaS – Fortiva's email archiving service • PaaS – Google app engine• IaaS – Amazon’s Elastic Compute Cloud (EC2)
![Page 6: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/6.jpg)
Cloud Computing Security Concern
• Relying the own data and execution tasks to an external company.
• Different country with a different regulatory.
• Focus – Data Confidentiality, Data Safety, Data Privacy
![Page 7: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/7.jpg)
Literature Survey
• Web Service Security
• Transport Layer Security
![Page 8: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/8.jpg)
Web Service Security
• For a SOAP (Simple Object Access protocol) message, It defines how to provide – Integrity– Confidentiality– Authentication
• WSS defines a SOAP header – carries WSS security extensions
• Defines XML security standards which apply to SOAP messages, like– XML signature– XML Encryption
![Page 9: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/9.jpg)
XML Signature
![Page 10: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/10.jpg)
Transport Layer Security
• TLS – Secure Sockets Layer
• Cryptographic protocols that provide security for communications over networks such as the Internet.
• TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.
• Use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).
![Page 11: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/11.jpg)
Cloud Computing Security Issues
• XML Signature
• Browser Security
• Cloud Integrity and Binding Issues
• Flooding Attacks
![Page 12: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/12.jpg)
XML Signature
• Issue: XML Signature Element Wrapping
• In 2008 it was discovered that Amazon’s EC2 services were vulnerable to wrapping attacks.
![Page 13: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/13.jpg)
SOAP message with signed SOAP body
SOAP message after attack
![Page 14: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/14.jpg)
Browser Security
• The Legacy Same Origin Policy (SOP)
• Attacks on Browser-based Cloud Authentication
• Secure Browser-based Authentication
• Future Browser Enhancements
![Page 15: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/15.jpg)
Same Origin Policy
• Allows Read/Write operation from the same origin.
• Where Origin is define by the Tuple (domain name, protocol, port)
• Problems:– DNS caches can easily be filled with bogus data.– Since DNS heavily relies on caching, domain names
become unreliable.
![Page 16: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/16.jpg)
Attacks on Browser-based Cloud Authentication
• Since the browser itself is unable to generate cryptographically valid XML tokens to authenticate against the cloud, this is done with the help of a trusted third party.
• Federated Identity Management (FIM) protocols, eg: Microsoft’s Passport
![Page 17: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/17.jpg)
Attacks on Browser-based Cloud Authentication
• Current browser-based authentication protocols for the Cloud are not secure, because
– the browser is unable to issue XML based security tokens by itself, and
– Federated Identity Management systems store security tokens within the browser, where they are only protected by the (insecure) SOP
![Page 18: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/18.jpg)
Secure Browser-based Authentication
• Is done by integrating TLS and SOP, and securing FIM protocols.
• 4 ways:– TLS federation – uses X.509 client certificate– SAML 2.0 holder-of-key assertion profile– Strong Locked same origin policy – uses
server’s public key instead of DNS– TLS session binding
![Page 19: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/19.jpg)
Future Browser Enhancements
• By adding two enhancement to the browser security API
1. XML Encryption
2. XML Signature
• In addition the API should be powerful enough to support all standard key agreement methods specified in WS-security family of standards
![Page 20: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/20.jpg)
Cloud Integrity and Binding Issues
• Cloud Malware Injection Attack
• Metadata Spoofing Attack
![Page 21: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/21.jpg)
Cloud Malware Injection Attack
• Injecting a malicious service implementation or virtual machine into the cloud system
• Requires to create its own malicious service implementation module (SaaS/PaaS/IaaS) and add it to cloud system
• Solution:
– A service instance integrity check prior to using a service instance for incoming requests.
– This can be done by storing a hash value on the original service instance’s image file.
![Page 22: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/22.jpg)
Metadata Spoofing Attack
• Aims at maliciously reengineering a web services metadata descriptions.
• Example: – Modifying a WSDL (Web Service description
document) so that a call to a deleteUser operation syntactically looks like a call to another operation, say setAdminRights
• Solution:– Hash based integrity verification of the metadata
description file prior to usage is required.
![Page 23: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/23.jpg)
Flooding Attack
• Direct Denial of Service
• Indirect Denial of Service
• Accounting and Accountability
![Page 24: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/24.jpg)
Conclusion and Future Work
• Improving Cloud Computing security consists in strengthening the security capabilities of both Web browsers and Web Service frameworks, at best integrating the latter into the first.
![Page 25: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/25.jpg)
References1. On technical security issue in cloud computing – Meiko, jorg, Nils,
Luigi, IEEE 2009
2. M. Jensen and J. Schwenk, "The accountability prob lem of flooding attacks in service-oriented architec tures," in Proceedings ofthe IEEE International Con ference on Availability, Reliability and Security (ARES),2009.
3. N. G uschka and L. Lo Iacono, "Vulne able Cloud: SOAP Message Security Validation Revisited," in ICWS '09: Proceedings of the IEEE International Conference on Web Services. Los Angeles, USA: IEEE, 2009.
4. Google, "Browser security handbook," 2009. [Online]. Available: http://code.google.com/p/browsersec/
5. ] M. Jensen, N. Gruschka, and N. Luttenberger, "The Im pact of Flooding Attacks on Network-based Services," in Proceedings ofthe IEEE International Conference on Availability, Reliability and Security (ARES), 2008.
6. http://en.wikipedia.org/wiki/WS-Security 7. http://en.wikipedia.org/wiki/Soap 8. http://en.wikipedia.org/wiki/XML_Signature 9. http://en.wikipedia.org/wiki/Transport_layer_security
![Page 26: On technical security issues in cloud computing](https://reader035.fdocuments.net/reader035/viewer/2022062319/557daa29d8b42a467c8b4b0e/html5/thumbnails/26.jpg)
Thank You