Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kia Manoochehri.  Background  Threat Classification ◦ Traditional Threats ◦ Availability of cloud services ◦ Third-Party Control  The “Notorious Nine”

Published byWillis Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Kia Manoochehri.  Background  Threat Classification ◦ Traditional Threats ◦ Availability of cloud services ◦ Third-Party Control  The “Notorious Nine”"— Presentation transcript:

1 Kia Manoochehri

2  Background  Threat Classification ◦ Traditional Threats ◦ Availability of cloud services ◦ Third-Party Control  The “Notorious Nine”  Contractual Obligations

3  Security: “freedom from risk and danger”  In Computer Science we define security as… ◦ “the ability of a system to protect information and system resources with respect to confidentiality and integrity”

4  Three core areas ◦ Confidentiality ◦ Integrity ◦ Authentication

5  Some other security concepts ◦ Access Control ◦ Nonrepudiation ◦ Availability ◦ Privacy

6

7  Cloud Service Providers (CSP) provide a “target rich environment”  Consolidation of information draws potential attackers  Potential problematic areas in the field of Cloud Computing aren’t transparent.

8  Three broad classifications ◦ Traditional Threats ◦ Availability Threats ◦ Third-Party Control Threats

9  Anytime a computer is connected to the internet they are at risk… ◦ When we are dealing with Cloud based applications we are amplifying these threats  Question of responsibility ◦ User vs Provider

10  Authorization and Authentication ◦ Individual access vs enterprise access  One solution would be to have tiered access ◦ Not every user is created equal!

11  Distributed Denial of Service attacks (DDoS)  SQL Injection  Phishing  Cross-Site Scripting

12  Digital forensics cannot be applied to the cloud ◦ Difficult to trace where an attack is from  Virtual Machine vulnerabilities extend to the cloud as well

13  System failures ◦ http://www.forbes.com/sites/anthonykosner/2012 /06/30/amazon-cloud-goes-down-friday-night- taking-netflix-instagram-and-pinterest-with-it/ http://www.forbes.com/sites/anthonykosner/2012 /06/30/amazon-cloud-goes-down-friday-night- taking-netflix-instagram-and-pinterest-with-it/ ◦ Amazon’s Elastic Compute Cloud (EC2) in North Virginia goes down due to lightning.  Netflix, Instagram, and Pintrest were down for at least a few hours.

14  Problem stems from CSP outsourcing certain aspects of their operation ◦ How does this affect  Introduces more points of entry and vulnerability to the Cloud

15  In 2010 the Cloud Security Alliance (CSA) had defined 7 major threats to Cloud Computing  February 2013 yielded their “Notorious Nine” list ◦ 9 major threats in Cloud Computing

16  Data Breaches ◦ Currently the biggest threat ◦ The solution is encryption… but  What if you lose the key? ◦ Backing up the data is not viable either  Example: Epsilon

17  Data Loss ◦ Malicious deletion ◦ Accidental deletion by CSP ◦ Physical catastrophe ◦ Loss of the encryption key  Compliance policies require audit audit records  Example: Mat Honan

18  Account/Service Hijacking ◦ Phishing, fraud, software exploits ◦ Organizations should be proactive ◦ Two-Factor authentication  Example: XSS attack on Amazon

19  Insecure Interfaces and APIs ◦ Any vulnerability in an API bleeds over ◦ Can effect security and availability ◦ Partially falls on the consumer

20  Denial of Service ◦ From the user end… most frustrating ◦ Can cost cloud users $$$ ◦ Makes the user doubt the cloud

21  Malicious Insiders ◦ Straightforward ◦ Systems that only depends on the CSP for security are at greatest risk ◦ If data-usage encryption is used the data is still vulnerable during storage

22  Abuse of Cloud Services ◦ Using CSP for malicious purpose ◦ Hacking encryption keys via cloud ◦ DDoS attacks via cloud ◦ Problems of detection arise

23  Insufficient Due Diligence ◦ Insufficient user experience ◦ Unknown levels of risk when using CSP ◦ Design and architecture issues for devs ◦ Countered by:  Capable resources  Extensive internal understanding of risks

24  Shared Technology Vulnerabilities ◦ CPU caches, GPUs are not designed to be isolated ◦ A single vulnerability can lead to an entire environment being compromised

25 Buffer Overflow SQL Injection Privilege escalation SSL Certificate spoofing Attacks on browser caches Phishing attacks Limiting resources Privilege-related attacks Data Distortion Injecting additional operations DDoS attacks

26  Goal is to minimize the security risks  Contract between the CSP and user should: ◦ State CSP obligations to handle securely sensitive information and it’s compliance to privacy laws ◦ Spell out CSP liability for mishandling information ◦ Spell out CSP liability for data loss ◦ Spell out rules governing ownership of data ◦ Specify the geographical regions where information and backups can be stored.

27 Kia Manoochehri

Download ppt "Kia Manoochehri.  Background  Threat Classification ◦ Traditional Threats ◦ Availability of cloud services ◦ Third-Party Control  The “Notorious Nine”"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing.

Hi – 5 Marcus Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi Security of Cloud Computing.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Security Controls – What Works

Security Controls – What Works
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.

Supervisor : Mr. Hadi Salimi Advanced Topics in Information Systems Mazandaran University of Science and Technology February 4, 2011 Survey on Cloud Computing.
This paper states that one of the major problem to the adoption of cloud computing is that of security.  Existing cloud computing problem or concerns.

This paper states that one of the major problem to the adoption of cloud computing is that of security.  Existing cloud computing problem or concerns.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2013 Lecture 3 09/03/2013 Security and Privacy in Cloud Computing.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Cloud Computing Cloud Security– an overview Keke Chen.

Cloud Computing Cloud Security– an overview Keke Chen.
Security issues in the Cloud Presentation for CloudCamp 2012 (Lagos) Christopher Odutola FVC Inc. Dubai.

Security issues in the Cloud Presentation for CloudCamp 2012 (Lagos) Christopher Odutola FVC Inc. Dubai.

Similar presentations

Ads by Google