SECURITY IN CLOUD COMPUTING

ByBina BhaskarAnand Mukundan

Introduction

Cloud computing is not a new technology but rather a new delivery model for information and services using existing technologies. Along with variant advantages, cloud storage also poses new security challenges. Potential users are reluctant to move important and sensitive data to cloud unless security challenges have been well addressed.

About Security in cloud

Image courtesy: Wikipedia

About Security in cloud (cont..)

With so many points of failure that can be identified in a cloud, there are various levels at which security needs to be established.

o VM security

o Data security

o Software security

Why is this essential?

• Potential cloud customers emphasize checks on vendor security measures in order to help them make final cloud computing purchases.

• According to a survey [published in the Fall of 2009 by Mimecast

and reported by Hosting News online] 46 percent of all business respondents cited security as a concern in adopting cloud computing as an IT strategy.

Misconception

• Clouds can never be secureThis is not true because cloud is like any other network we use currently.    

Image courtesy : http://www.accmanpro.com/2010/10/29/cloud-misconceptions-security-tops-the-list/

Vulnerabilities exposed in cloud (1)

• National Database of Vulnerabilities lists over a hundred potential hypervisor flaws for one particular virtualization technology.

Image courtesy: http://lpage.joyent.com/rs/joyent/images/Joyent_Security_Whitepaper_Final_20101001.pdf

Vulnerabilities exposed in cloud (2)

• Hypervisor Holes

o Ability to insert code into virtual machines, o The disclosure of unauthorized informationo Potential disruption of service.

 

• Concern regarding cloud vendors that do not adequately divulge their security and reliability audits to current or potential clients.

Vulnerabilities exposed in cloud (3)

•  Malware Injection Attack

o Adversary creates own instance of virtual machine or service module

o Cloud system is manipulated by the adversary in such a way that it points to the adversary's implementation of the service or instance

Vulnerabilities exposed in cloud (4)

• Denial of Service

o Cloud provides additional computing power to cope with additional workload.

o The cloud will try to work against a DOS attacker by providing more computing power.

o An adversary can manage to utilize another (or the very same) Cloud Computing system for hosting his/her attack. 

Vulnerabilities exposed in cloud (5)

• Browser Issues

o Same Origin Policyo Federated Identity Management (FIM) protocols

• XML Signature 

o Manipulation of SOAP messageso Hacking a legitimate user's account 

• Twitter/Google Apps hack raises questions about cloud security and the feasibility of storing critical information in Web-based services were being raised in the wake of a hacking incident involving Twitter and Google Apps.

Vulnerabilities exposed in cloud (6)

• Metadata Spoofing attack

o adversary manipulates / re-engineers the metadata content of a web service so that the web service's intended operation is replaced by another operation

• Very recently in the last year or so some research studies have been carried out to expose the problems related to cloud storage systems but a concrete solution adaptable has not been reported yet.

Our path ahead…..

• We propose to continue our search for more relevant and up to date vulnerabilities in cloud and report them.

Extensive literature survey.

Collaborating with individuals already in the research.

Our path ahead

• In this process we propose to develop and assess use-cases that can be suitable to encounter these threats.

Assessing already existing/tentative models to deal with the vulnerabilities (advantage and disadvantage).

Our opinion and ideas.

With inputs and suggestions from experts.

Thank you!