SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan

Startups & Small businesses Can use clouds for everything. SaaS, IaaS, collaboration services, online presence. Mid-Size Enterprises Can use clouds for many things. Compute cycles for R&D projects, online collaboration, partner integration, social networking, new business tools. Large Enterprises More likely to have hybrid models where they keep some things in house. On premises data for legal and risk management reasons. Courtesy : Juniper Networks Who is using Clouds today?

Problem Statement Image courtesy: Wikipedia VM SECURITY DATA SECURITY SW SECURITY

Identify Assets Which assets are we trying to protect? What properties of these assets must be maintained? Identify Threats What attacks can be mounted? What other threats are there (natural disasters, etc.)? Identify Countermeasures How can we counter those attacks? Appropriate for Organization-Independent Analysis We have no organizational context or policies Problem Statement Courtesy : Juniper Networks

Misconception Clouds can never be secure This is not true because cloud is like any other network we use currently. Image courtesy :

Cloud Service Deployment Image courtesy :

Vulnerabilities exposed in cloud (1) National Database of Vulnerabilities lists over a hundred potential hypervisor flaws for one particular virtualization technology. Image courtesy:

Vulnerabilities exposed in cloud (2) Hypervisor Holes o Ability to insert code into virtual machines. o The disclosure of unauthorized information o Potential disruption of service. o Run several varieties of guest operating systems o One could use root access to the hypervisor to commit dirty deeds such as planting rootkits into the memory of running operating system kernels

Vulnerabilities exposed in cloud (3) Securing Data Storage o The data stored in the cloud may be frequently updated by the users. o Focus on single server scenario which does not consider dynamic data operations. o Traditional cryptographic primitives for the purpose of data security protection cannot be directly adopted due to the users’ loss of control of their data under Cloud Computing.

Vulnerabilities exposed in cloud (4) VM Placement attacks o Denial of Service o Measure cache usage (measure CPU utilization on the physical machine; or “how busy are their servers?”) o Load-based co-residence detection (aka detecting co-residence without relying on sending any network probes) o Estimating traffic rates (sounds harmless but can be used to deduce targets activity patterns, peak trading times for maximal DoS effect etc) o Keystroke timing attack (remote keystroke monitoring)

Vulnerabilities exposed in cloud (8) Metadata Spoofing attack o Adversary manipulates / re-engineers the metadata content of a web service so that the web service's intended operation is replaced by another operation. Original WSDL Modified WSDL

Vulnerabilities exposed in cloud (5) Malware Injection Attack o Adversary creates own instance of virtual machine or service module o Cloud system is manipulated by the adversary in such a way that it points to the adversary's implementation of the service or instance

Vulnerabilities exposed in cloud (7) XML Signature

Vulnerabilities exposed in cloud (6) Denial of Service o Direct DOS o Indirect DOS

Existing Cloud Security Models (1) Cloud Storage Model Multi-Party Non-Repudiation o Normal Mode o Resolve Mode

Existing Cloud Security Models (2) Three level security model Image courtesy: Data Security Model for Cloud Computing

Existing Cloud Security Models (3) Cloud Cube Model Image courtesy: Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration by Jercho Forum

Policies related to Security Application security Maintaining Integrity Authentication / Access Control

Suggested Framework USER A USER B Data Application > FOREIGNFOREIGN ATTACKSATTACKS 3LS Data APP 3LS

Thank you!