Security in Cloud Computing
Content
Security in Cloud Computing
ID # 374509
The University of Melbourne
Department of Electrical and Electronic Engineering
Subject Number and Name: 431-627 Signalling and Network Management Assignment Title: Security in Cloud Computing Plagiarism
Plagiarism is the act of representing as one's own original work the creative works of another, without appropriate acknowledgment of the author or source.
Collusion (Unauthorized Collaboration)
Collusion is the presentation by a student of an assignment as his or her own which is in fact the result in whole or in part of unauthorised collaboration with another person or persons. Both collusion and plagiarism can occur in group work. For examples of plagiarism, collusion and academic misconduct in group work please see the University’s policy on Academic Honesty and Plagiarism: https://academichonesty.unimelb.edu.au Plagiarism and collusion constitute cheating. Disciplinary action will be taken against students who engage in plagiarism and collusion as outlined in University policy. Proven involvement in plagiarism or collusion may be recorded on a student's academic file in accordance with Statute 13.1.18.
Student Declaration
By entering your names and student numbers below, you each declare: This assignment is our own original work, except where we have appropriately cited original sources. No part of this assignment has previously been submitted for assessment. For the purposes of assessment, we give the assessor of this assignment the permission to:
- Reproduce this assignment and provide a copy to another member of staff; and - Take steps to authenticate the assignment, including communicating a copy of this assignment to a checking service, which may retain a copy of the assignment on its database for plagiarism checking.
Student Names and Numbers
Name Syed Aoun Bin Ahsan Number 374509 1
Security in Cloud Computing
ID # 374509
Contents
1. INTRODUCTION ................................................................................................................................... 3 2. ABUSE AND NEFARIOUS USE OF CLOUD COMPUTING ....................................................................... 4 REMEDIATION ..................................................................................................................................... 4 3. INSECURE APPLICATION PROGRAMMING INTERFACES...................................................................... 4 REMEDIATION ..................................................................................................................................... 5 4. MALICIOUS INSIDERS .......................................................................................................................... 5 REMEDIATION ..................................................................................................................................... 5 5. SHARED TECHNOLOGY ISSUES ............................................................................................................ 6 REMEDIATION ..................................................................................................................................... 6 6. DATA LOSS/LEAKAGE .......................................................................................................................... 6 REMEDIATION ..................................................................................................................................... 7 7. ACCOUNT OR SERVICE HIJACKING ...................................................................................................... 7 REMEDIATION ..................................................................................................................................... 7 8. UNKNOWN RISK PROFILE .................................................................................................................... 8 REMEDIATION ..................................................................................................................................... 8 9. CONCLUSION ....................................................................................................................................... 9 10. REFERENCES .................................................................................................................................... 10
2
Security in Cloud Computing
ID # 374509
1. INTRODUCTION
Cloud Security is an evolving sub-domain of computer security, network security, and at a broader level information security. The cloud security concept refers to a wide set of policies, technologies, and controls which are deployed to secure data, applications, and the related infrastructure of a cloud computing system [1, 2].
For cloud customers, Security has been the prime concern for obvious reasons; many of them will make buying choices based on the reputation for privacy, confidentiality, reliability and resilience of, and the security services presented by, a cloud provider. This is obviously a strong driver for cloud providers to constantly improve their security practices to mitigate the issues concerning their customers [3, 4].
To aid and facilitate both cloud customers and the providers, CSA developed “Security Guidance for Critical Areas in Cloud Computing”. This guidance took no time to become the industry standard catalogue of best practices with the aim to secure Cloud Computing [5].
The prime objective of this document, “Top Threats to Cloud Computing”, is to scribe the desired context to assist organizations make intelligent risk management decisions regarding their cloud adoption strategies for their respective business environments [5].
There has been much debate and exchange of arguments regarding what is “in scope” for this research. We anticipate that this debate may continue and for future versions of “Top Threats to Cloud Computing” to reflect the consensus nurtured by those debates. While many issues, such as the provision of financial stability, we initially want to on the issues we feel are either unique or greatly amplified by the key characteristics of Cloud Computing (like its shared, on-demand nature). We identify the following threats in our initial document [5, 6]:
Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders
3
Security in Cloud Computing
ID # 374509
Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk Profile
2. ABUSE AND NEFARIOUS USE OF CLOUD COMPUTING
Criminals and expert data counterfeiters continue to bring up new technologies to improve their ways to extend their reach and avoid detection, Cloud Computing providers are being targeted by these activities, partially because of their relatively weaker registration systems facilitate anonymity. Moreover the fraud detection capabilities of cloud providers are limited [5].
REMEDIATION [5]
Stricter initial registration and validation processes Enhanced credit card fraud monitoring and coordination Comprehensive introspection of customer network traffic Monitoring public blacklists for one’s own network blocks
Remedies mentioned above are clever in a way that these don’t require extensive use of resources and it doesn’t require sufficient amount of time. Benefit of these would be many like it can build up good level of availability for genuine customers and it would help by restricting the abuse of network and physical infrastructure of the Data centre. One of the side advantages is simplified and cost efficient Data centre operations.
3. INSECURE APPLICATION PROGRAMMING INTERFACES
With most of the cloud providers continuously strive to ensure the best practising security is well incorporated into their service models, yet it is difficult for the consumers utilising those services to understand the security implications associated with the usage, management and monitoring of cloud services. Dependability on a weak set of interfaces
4
Security in Cloud Computing
ID # 374509
and APIs exposes organizations to a variety of security issues which they may face regarding confidentiality, reliability, accessibility and liability [5].
REMEDIATION [5]
Analyse the security model of cloud provider interfaces Ensure strong authentication and access controls are implemented in conjunction with encrypted transmission
Understand the dependency chain associated with the API
Cloud characteristics make configuration management and ongoing provisioning significantly more complicated compared to traditional application deployment. The environment drives the need for architectural modifications to assure complete application security. Encrypted data transmission will eradicate the threat of criminals misusing the data even if they’re smart enough to get hold of it.
4. MALICIOUS INSIDERS
The impact that malicious insiders can have on an organization is undeniable, given their level of access and ability to infiltrate organizations and assets. Certain business operations can be affected by a malicious insider. Brand damage, financial impact, privacy intervention, and production losses are some of the most concerning situations. When an organization adopts cloud services, the human element gets an even more profound importance. It is really important that the cloud consumers understand what providers are doing at their end for the detection and defence against malicious insider threat [5].
REMEDIATION [5]
Enforce strict supply chain management and conduct a comprehensive supplier assessment. Specify human resource requirements as part of legal contracts Require transparency into overall information security and management practices, as well as compliance reporting Determine security breach notification processes
5
Security in Cloud Computing
ID # 374509
Identification management is of real importance. The use of biometric systems can make the whole process work with more accuracy and unauthorized insiders will be no real harm.
5. SHARED TECHNOLOGY ISSUES
It’s a mere observation that attacks have been made in recent years that target the shared technology resources in a cloud computing environment. Shared elements like Disk partitions, CPU caches, GPUs, and other shared elements are not engineered for strong compartmentalization. As a result, criminals streamline their activities to impact the operations of other cloud customers, and try to gain unauthorized access to data [5].
REMEDIATION [5]
Implement security best practices for installation/configuration Monitor environment for unauthorized changes/activity Promote strong authentication and access control for administrative access and operations Enforce service level agreements for patching and vulnerability remediation Conduct vulnerability scanning and configuration audits
By implementing secure configuration with frequent check of administrative monitoring over the cloud computing environment, adds to the higher hindrances to access and removes the vulnerability of leakage of data.
6. DATA LOSS/LEAKAGE
Business can be affected greatly due to any sort of data leakage. Besides the damage to one’s brand impression or industry’s reputation, a data loss could significantly impact not only the business owner but employees and partners equally the bigger damage is the loss of customer’s moral and trust over the enterprise’s name. Core of prosperity of any business lies in its data base and leakage or loss of data can have a devastating effect on its stability. Such a loss can directly affect the productivity of an enterprise [5].
6
Security in Cloud Computing
ID # 374509
The obvious threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment [5].
REMEDIATION [5]
Encryption schema to ensure that the shared storage environment safeguards all data; Stringent access controls to prevent unauthorized access to the data; and Scheduled data backup and safe storage of the backup media Implement strong API access control Encrypt and protect integrity of data in transit Analyses data protection at both design and run time Implement strong key generation, storage and management, and destruction practices Contractually demand providers wipe persistent media before it is released into the pool Contractually specify provider backup and retention strategies
Data integrity is the most important aspect of security and confidentiality. For present concerns regarding adoption of cloud computing is security and above mentioned indicators set a threshold for cloud providers. This involves initial and continuing expenses but also a strong point for larger clientele.
7. ACCOUNT OR SERVICE HIJACKING
Account and service hijacking, usually happens by stealing credentials, stays as the most worrying threat. With stolen credentials, attackers often try to access extremely private areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity and availability of those services [5].
REMEDIATION [5]
Prohibit the sharing of account credentials between users and services.
7
Security in Cloud Computing
ID # 374509
Leverage strong two-factor authentication techniques where possible. Employ proactive monitoring to detect unauthorized activity. Understand cloud provider security policies and SLAs.
By simply controlling the exchange of credentials, the invasion by unauthorized people can be eliminated in a cloud environment.
8. UNKNOWN RISK PROFILE
When adopting a cloud service, the characteristics and functionalities may be well advertised and presented in front of the buyer, but what about the details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging? How are your private data and related logs stored and who has access to these documents stack? What information if any will the vendor disclose in the event of an undesirable security incident? Often such questions are not clearly answered or are simply overlooked, which leaves the customers with an unknown risk profile that may include serious threats [5].
REMEDIATION [5]
Disclosure of applicable logs and data Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.) Monitoring and alerting on necessary information
Logs and maintenance of data and detailed monitoring of necessary information generally is the right approach to avoid any mishaps to unknown risk. This remediation will be useful for providers and customers to relay on and work accordingly.
8
Security in Cloud Computing
ID # 374509
9. CONCLUSION
Cloud computing in a business environment is of real value. It makes the cloud consumers avail the benefits of outsourced computing services. Cloud computing not only reduces the cost but also reduces the risk of data/resource vulnerability.
Some of the several security issues have been discussed. Remedies listed have been taken from a conference held by Cloud Security Alliance, which are useful, efficient and applicable.
This report will enable users, business owners and leaders (of Small and Medium Enterprises), to facilitate their evaluation and mitigation of the security risks associated with the adoption of cloud computing technologies.
9
Security in Cloud Computing
ID # 374509
10. REFERENCES
1. http://en.wikipedia.org/wiki/Cloud_computing_security 2. http://www.networkcomputing.com/cloud-computing/cloud-minuses-outweighpluses-for-businesses.php 3. http://opencloudmanifesto.org/Cloud_Computing_Use_Cases_Whitepaper-4_0.pdf 4. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment 5. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf 6. http://www.cloudsecurityalliance.org/guidance
10
ID # 374509
The University of Melbourne
Department of Electrical and Electronic Engineering
Subject Number and Name: 431-627 Signalling and Network Management Assignment Title: Security in Cloud Computing Plagiarism
Plagiarism is the act of representing as one's own original work the creative works of another, without appropriate acknowledgment of the author or source.
Collusion (Unauthorized Collaboration)
Collusion is the presentation by a student of an assignment as his or her own which is in fact the result in whole or in part of unauthorised collaboration with another person or persons. Both collusion and plagiarism can occur in group work. For examples of plagiarism, collusion and academic misconduct in group work please see the University’s policy on Academic Honesty and Plagiarism: https://academichonesty.unimelb.edu.au Plagiarism and collusion constitute cheating. Disciplinary action will be taken against students who engage in plagiarism and collusion as outlined in University policy. Proven involvement in plagiarism or collusion may be recorded on a student's academic file in accordance with Statute 13.1.18.
Student Declaration
By entering your names and student numbers below, you each declare: This assignment is our own original work, except where we have appropriately cited original sources. No part of this assignment has previously been submitted for assessment. For the purposes of assessment, we give the assessor of this assignment the permission to:
- Reproduce this assignment and provide a copy to another member of staff; and - Take steps to authenticate the assignment, including communicating a copy of this assignment to a checking service, which may retain a copy of the assignment on its database for plagiarism checking.
Student Names and Numbers
Name Syed Aoun Bin Ahsan Number 374509 1
Security in Cloud Computing
ID # 374509
Contents
1. INTRODUCTION ................................................................................................................................... 3 2. ABUSE AND NEFARIOUS USE OF CLOUD COMPUTING ....................................................................... 4 REMEDIATION ..................................................................................................................................... 4 3. INSECURE APPLICATION PROGRAMMING INTERFACES...................................................................... 4 REMEDIATION ..................................................................................................................................... 5 4. MALICIOUS INSIDERS .......................................................................................................................... 5 REMEDIATION ..................................................................................................................................... 5 5. SHARED TECHNOLOGY ISSUES ............................................................................................................ 6 REMEDIATION ..................................................................................................................................... 6 6. DATA LOSS/LEAKAGE .......................................................................................................................... 6 REMEDIATION ..................................................................................................................................... 7 7. ACCOUNT OR SERVICE HIJACKING ...................................................................................................... 7 REMEDIATION ..................................................................................................................................... 7 8. UNKNOWN RISK PROFILE .................................................................................................................... 8 REMEDIATION ..................................................................................................................................... 8 9. CONCLUSION ....................................................................................................................................... 9 10. REFERENCES .................................................................................................................................... 10
2
Security in Cloud Computing
ID # 374509
1. INTRODUCTION
Cloud Security is an evolving sub-domain of computer security, network security, and at a broader level information security. The cloud security concept refers to a wide set of policies, technologies, and controls which are deployed to secure data, applications, and the related infrastructure of a cloud computing system [1, 2].
For cloud customers, Security has been the prime concern for obvious reasons; many of them will make buying choices based on the reputation for privacy, confidentiality, reliability and resilience of, and the security services presented by, a cloud provider. This is obviously a strong driver for cloud providers to constantly improve their security practices to mitigate the issues concerning their customers [3, 4].
To aid and facilitate both cloud customers and the providers, CSA developed “Security Guidance for Critical Areas in Cloud Computing”. This guidance took no time to become the industry standard catalogue of best practices with the aim to secure Cloud Computing [5].
The prime objective of this document, “Top Threats to Cloud Computing”, is to scribe the desired context to assist organizations make intelligent risk management decisions regarding their cloud adoption strategies for their respective business environments [5].
There has been much debate and exchange of arguments regarding what is “in scope” for this research. We anticipate that this debate may continue and for future versions of “Top Threats to Cloud Computing” to reflect the consensus nurtured by those debates. While many issues, such as the provision of financial stability, we initially want to on the issues we feel are either unique or greatly amplified by the key characteristics of Cloud Computing (like its shared, on-demand nature). We identify the following threats in our initial document [5, 6]:
Abuse and Nefarious Use of Cloud Computing Insecure Application Programming Interfaces Malicious Insiders
3
Security in Cloud Computing
ID # 374509
Shared Technology Vulnerabilities Data Loss/Leakage Account, Service & Traffic Hijacking Unknown Risk Profile
2. ABUSE AND NEFARIOUS USE OF CLOUD COMPUTING
Criminals and expert data counterfeiters continue to bring up new technologies to improve their ways to extend their reach and avoid detection, Cloud Computing providers are being targeted by these activities, partially because of their relatively weaker registration systems facilitate anonymity. Moreover the fraud detection capabilities of cloud providers are limited [5].
REMEDIATION [5]
Stricter initial registration and validation processes Enhanced credit card fraud monitoring and coordination Comprehensive introspection of customer network traffic Monitoring public blacklists for one’s own network blocks
Remedies mentioned above are clever in a way that these don’t require extensive use of resources and it doesn’t require sufficient amount of time. Benefit of these would be many like it can build up good level of availability for genuine customers and it would help by restricting the abuse of network and physical infrastructure of the Data centre. One of the side advantages is simplified and cost efficient Data centre operations.
3. INSECURE APPLICATION PROGRAMMING INTERFACES
With most of the cloud providers continuously strive to ensure the best practising security is well incorporated into their service models, yet it is difficult for the consumers utilising those services to understand the security implications associated with the usage, management and monitoring of cloud services. Dependability on a weak set of interfaces
4
Security in Cloud Computing
ID # 374509
and APIs exposes organizations to a variety of security issues which they may face regarding confidentiality, reliability, accessibility and liability [5].
REMEDIATION [5]
Analyse the security model of cloud provider interfaces Ensure strong authentication and access controls are implemented in conjunction with encrypted transmission
Understand the dependency chain associated with the API
Cloud characteristics make configuration management and ongoing provisioning significantly more complicated compared to traditional application deployment. The environment drives the need for architectural modifications to assure complete application security. Encrypted data transmission will eradicate the threat of criminals misusing the data even if they’re smart enough to get hold of it.
4. MALICIOUS INSIDERS
The impact that malicious insiders can have on an organization is undeniable, given their level of access and ability to infiltrate organizations and assets. Certain business operations can be affected by a malicious insider. Brand damage, financial impact, privacy intervention, and production losses are some of the most concerning situations. When an organization adopts cloud services, the human element gets an even more profound importance. It is really important that the cloud consumers understand what providers are doing at their end for the detection and defence against malicious insider threat [5].
REMEDIATION [5]
Enforce strict supply chain management and conduct a comprehensive supplier assessment. Specify human resource requirements as part of legal contracts Require transparency into overall information security and management practices, as well as compliance reporting Determine security breach notification processes
5
Security in Cloud Computing
ID # 374509
Identification management is of real importance. The use of biometric systems can make the whole process work with more accuracy and unauthorized insiders will be no real harm.
5. SHARED TECHNOLOGY ISSUES
It’s a mere observation that attacks have been made in recent years that target the shared technology resources in a cloud computing environment. Shared elements like Disk partitions, CPU caches, GPUs, and other shared elements are not engineered for strong compartmentalization. As a result, criminals streamline their activities to impact the operations of other cloud customers, and try to gain unauthorized access to data [5].
REMEDIATION [5]
Implement security best practices for installation/configuration Monitor environment for unauthorized changes/activity Promote strong authentication and access control for administrative access and operations Enforce service level agreements for patching and vulnerability remediation Conduct vulnerability scanning and configuration audits
By implementing secure configuration with frequent check of administrative monitoring over the cloud computing environment, adds to the higher hindrances to access and removes the vulnerability of leakage of data.
6. DATA LOSS/LEAKAGE
Business can be affected greatly due to any sort of data leakage. Besides the damage to one’s brand impression or industry’s reputation, a data loss could significantly impact not only the business owner but employees and partners equally the bigger damage is the loss of customer’s moral and trust over the enterprise’s name. Core of prosperity of any business lies in its data base and leakage or loss of data can have a devastating effect on its stability. Such a loss can directly affect the productivity of an enterprise [5].
6
Security in Cloud Computing
ID # 374509
The obvious threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment [5].
REMEDIATION [5]
Encryption schema to ensure that the shared storage environment safeguards all data; Stringent access controls to prevent unauthorized access to the data; and Scheduled data backup and safe storage of the backup media Implement strong API access control Encrypt and protect integrity of data in transit Analyses data protection at both design and run time Implement strong key generation, storage and management, and destruction practices Contractually demand providers wipe persistent media before it is released into the pool Contractually specify provider backup and retention strategies
Data integrity is the most important aspect of security and confidentiality. For present concerns regarding adoption of cloud computing is security and above mentioned indicators set a threshold for cloud providers. This involves initial and continuing expenses but also a strong point for larger clientele.
7. ACCOUNT OR SERVICE HIJACKING
Account and service hijacking, usually happens by stealing credentials, stays as the most worrying threat. With stolen credentials, attackers often try to access extremely private areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity and availability of those services [5].
REMEDIATION [5]
Prohibit the sharing of account credentials between users and services.
7
Security in Cloud Computing
ID # 374509
Leverage strong two-factor authentication techniques where possible. Employ proactive monitoring to detect unauthorized activity. Understand cloud provider security policies and SLAs.
By simply controlling the exchange of credentials, the invasion by unauthorized people can be eliminated in a cloud environment.
8. UNKNOWN RISK PROFILE
When adopting a cloud service, the characteristics and functionalities may be well advertised and presented in front of the buyer, but what about the details or compliance of the internal security procedures, configuration hardening, patching, auditing, and logging? How are your private data and related logs stored and who has access to these documents stack? What information if any will the vendor disclose in the event of an undesirable security incident? Often such questions are not clearly answered or are simply overlooked, which leaves the customers with an unknown risk profile that may include serious threats [5].
REMEDIATION [5]
Disclosure of applicable logs and data Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.) Monitoring and alerting on necessary information
Logs and maintenance of data and detailed monitoring of necessary information generally is the right approach to avoid any mishaps to unknown risk. This remediation will be useful for providers and customers to relay on and work accordingly.
8
Security in Cloud Computing
ID # 374509
9. CONCLUSION
Cloud computing in a business environment is of real value. It makes the cloud consumers avail the benefits of outsourced computing services. Cloud computing not only reduces the cost but also reduces the risk of data/resource vulnerability.
Some of the several security issues have been discussed. Remedies listed have been taken from a conference held by Cloud Security Alliance, which are useful, efficient and applicable.
This report will enable users, business owners and leaders (of Small and Medium Enterprises), to facilitate their evaluation and mitigation of the security risks associated with the adoption of cloud computing technologies.
9
Security in Cloud Computing
ID # 374509
10. REFERENCES
1. http://en.wikipedia.org/wiki/Cloud_computing_security 2. http://www.networkcomputing.com/cloud-computing/cloud-minuses-outweighpluses-for-businesses.php 3. http://opencloudmanifesto.org/Cloud_Computing_Use_Cases_Whitepaper-4_0.pdf 4. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment 5. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf 6. http://www.cloudsecurityalliance.org/guidance
10
