Lecture 11 - Week 12 On Cloud Security PDF
Document Details
Uploaded by ComplimentaryKoto
Pharos University in Alexandria
Tags
Related
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 01_ocred.pdf
- Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 02_ocred.pdf
- Nutanix AOS Technical Overview 200 PDF
- Nutanix AOS Technical Overview 200 PDF
- Lecture 2 - Part I (2) PDF
- Computer Network Workshop 2022 PDF
Summary
This lecture covers cloud security concepts, including security risks, user concerns, and issues related to data privacy and security.
Full Transcript
Distributed Systems and Cloud Computing CLOUD SECURITY Intended Learning Outcomes (ILOs) To introduce the concept of cloud security. To illustrate the security concerns of cloud users. To explain the cloud security risks. Introduction A computer cloud is a target-rich environm...
Distributed Systems and Cloud Computing CLOUD SECURITY Intended Learning Outcomes (ILOs) To introduce the concept of cloud security. To illustrate the security concerns of cloud users. To explain the cloud security risks. Introduction A computer cloud is a target-rich environment for malicious individuals and criminal organizations. It is, thus, no surprise that security is a major concern for existing users and for potential new users of cloud computing services. Cloud computing is an entirely new approach to computing based on a new technology. It is therefore reasonable to expect that new methods to deal with some of the security threats will be developed. Introduction Standards, regulations, and laws governing the activities of organizations supporting the new computing services, and in particular utility computing, have yet to be adopted. As a result, many issues related to privacy, security, and trust in cloud computing are far from being settled. For example: there are no international regulations related to data security and privacy. Data stored on a computer cloud can freely cross national borders among the data centers of the Cloud Service Provider. Security, the Top Concern for Cloud Users Some believe that moving to a computer cloud frees an organization from all concerns related to computer security and eliminates a wide range of threats to data integrity. They believe that cloud security is in the hands of experts, hence cloud users are better protected than when using their own computing resources. These opinions are not entirely justified. Security, the Top Concern for Cloud Users Major user concerns are about: The unauthorized access to confidential information and the data theft: Data is more vulnerable in storage, than while it is being processed. Data is kept in storage for extended periods of time, while during processing it is exposed to threats for relatively short time. Close attention should be paid to storage server security and to data in transit. Security, the Top Concern for Cloud Users Major user concerns are about: The risk of unauthorized access and data theft posed by rogue employees of a Cloud Service Provider (CSP): Cloud users are concerned about insider attacks because hiring and security screening policies of a CSP are totally opaque to the outsiders. Security, the Top Concern for Cloud Users Major user concerns are about: The user control over the lifecycle of data: It is virtually impossible for a user to determine if data that should have been deleted was actually deleted. Even if deleted, there is no guarantee that the media was wiped out and the next user is not able to recover confidential data. Security, the Top Concern for Cloud Users Major user concerns are about: Lack of standardization: Today there are no inter-operability standards. Questions like: What can be done when service provided by the CSP is interrupted? What if the CSP drastically raises its prices? What is the cost of moving to a different CSP? Have not been answered yet. Security, the Top Concern for Cloud Users Major user concerns are about: Multi-tenancy is the root cause of many user concerns. However, multi-tenancy enables a higher server utilization, thus lower costs. The threats caused by multi-tenancy differ from one cloud delivery model to another. For example, in case of SaaS private information such as name, address, phone numbers, possibly credit card numbers of many users are stored on one server; when the security of that server is compromised a large number of users are affected. Security, the Top Concern for Cloud Users Major user concerns are about: The legal framework for enforcing cloud computing security: users have legitimate concerns regarding the ability to defend their rights. The data centers of a CSP may be located in several countries and it is unclear what laws apply, the laws of the country where information is stored and processed, the laws of the countries the information crossed when sent by the user, or the laws of the user’s country. Cloud Security Risks A cloud could be used to launch large-scale attacks against other components of the cyber infrastructure. The cloud security risks can be divided into: 1. Traditional security threats. 2. Threats related to system availability. 3. Threats related to third-party data control. Cloud Security Risks: Traditional security threats 1. Traditional threats are those experienced for some time by any system connected to the Internet, but with some cloud-specific twists. 2. The impact of traditional threats is amplified due to the vast amount of cloud resources and the large user population that can be affected. Cloud Security Risks: Traditional security threats 3. The long list of cloud user concerns includes also the fuzzy bounds of responsibility between the providers of cloud services and users, as well as the difficulties to accurately identify the cause of a problem. 4. The favorite means of attack are: distributed denial of service (DDoS), phishing, SQL injection, or cross-site scripting. Cloud Security Risks: Threats related to system availability Availability of cloud services is another major concern. System failures, power outages, and other catastrophic events could shutdown cloud services for extended periods of time. Another critical aspect of availability is that the users cannot be assured that an application hosted on the cloud returns correct results. Cloud Security Risks: Threats related to third- party data control Third-party control generates a spectrum of concerns caused by lack of transparency and limited user control. For example, a cloud provider may subcontract some resources from a third party whose level of trust is questionable. There are examples when subcontractors failed to maintain the customer data. There are also examples when the third party was not a subcontractor but a hardware supplier and the loss of data was caused by poor quality storage devices. Top twelve cloud security threats Data breaches: The most damaging breaches are for sensitive data including financial and health information, trade secrets, and intellectual property. The ultimate responsibility rests with the organizations maintaining data on the cloud. Recommendations are that organizations use multi-factor authentication and encryption to protect against data breaches. Top twelve cloud security threats Compromised credentials and broken authentication: Such attacks are due to lax authentication, weak passwords, and poor key and/or certificate management. Hacked interfaces and APIs: Cloud security and service availability can be compromised by a weak API. When third parties rely on APIs more services and credentials are exposed. Top twelve cloud security threats Exploited system vulnerabilities: Resource sharing and multi-tenancy create new attack surfaces but the cost to discover and repair vulnerabilities is small compared to the potential damage. Account hijacking: All accounts should be monitored so that every transaction can be traced to the individual requesting it. Top twelve cloud security threats Malicious insiders: This threat can be difficult to detect and system administrator errors could sometimes be falsely diagnosed as threats. A good policy is to segregate duties and enforce activities such as logging, monitoring, and auditing administrator activities. The other six threats are: advanced persistent threats (APTs), permanent data loss, inadequate diligence, cloud service abuse, DoS attacks, and shared technology. Privacy and Privacy Impact Assessment The term privacy refers to the right of an individual, a group of individuals, or an organization to keep information of personal nature or proprietary information from being disclosed. The privacy laws differ from country to country. The main aspects of cloud privacy The lack of user control: Once data is stored on the servers of the CSP the user losses control on the exact location, and in some instances it could lose access to the data. Potential unauthorized secondary use: CSP may obtain revenues from unauthorized secondary usage of the information e.g., for targeted advertising. There are no technological means to prevent this use. The main aspects of cloud privacy Dynamic provisioning: refers to threats due to outsourcing. A range of issues are very fuzzy; for example, how to identify the subcontractors of a CSP, what rights to the data they have, and what rights to data are transferable in case of bankruptcy or merger. Cloud Data Encryption Cloud encryption: a data security process in which plaintext data is encoded into unreadable ciphertext to help keep it secure. It is one of the most effective ways to uphold data privacy as well as protect cloud data in transit or at rest against attacks.
