Lecture4_Mechanisms_and_Security.pptx
Document Details
Uploaded by StatuesqueIslamicArt6781
Tags
Full Transcript
CS 5610 Introduction to Cloud Computing 1 Lecture 4 Cloud Mechanisms Cloud Security [email protected] 2 Learning Objectives Understand the building blocks for cloud environment. Explain how cloud services and features are...
CS 5610 Introduction to Cloud Computing 1 Lecture 4 Cloud Mechanisms Cloud Security [email protected] 2 Learning Objectives Understand the building blocks for cloud environment. Explain how cloud services and features are supported through the implementation of the cloud mechanisms Understand the fundamental terms and concepts of cloud security Explain the common threats and attacks in cloud environments Understand the shared security responsibility between cloud consumers and cloud providers 3 Section I – Cloud Mechanisms 4 Cloud Mechanisms The technology-centric nature of cloud computing requires the establishment of a set of mechanisms that act as building blocks for supporting cloud services: - Cloud Virtual Server and - Automated Scaling Hypervisor - Load Balancer - Logical Network Perimeter - Failover Systems - Cloud Storage - Resource Cluster - Cloud Usage Monitor - Multi-device Broker - Cloud Resource Replication - Ready-Made Environment 5 Cloud Virtual Server Mechanism A virtual server is a virtualized (emulated) server from a physical server. Virtual servers are used by cloud providers to share the same physical server with multiple cloud consumers by providing cloud consumers with individual virtual server instances Each virtual server can host numerous IT resources and cloud-based solutions. The number of instances a given physical server can share is limited by the capacity. The terms virtual server and virtual machine (VM) are used synonymously. The virtual server mechanism represents the most foundational building block of cloud environments. 6 Cloud Virtual Server Figure - The first physical server hosts two virtual servers, while the second physical server hosts one virtual server. 7 Cloud Hypervisor A Cloud Hypervisor is software that enables the sharing of cloud provider’s physical compute and memory resources across multiple virtual machines (VMs). Type-1 Hypervisor software can be installed directly in bare-metal servers and provides features for controlling, sharing and scheduling the usage of hardware resources, such as processor power, memory, and I/O. Cloud providers most commonly deploy a Type 1 Hypervisor. 8 Cloud Hypervisor Cloud providers most commonly deploy a Type 1 (bare-metal, native) hypervisor, where virtualization software is installed directly on the hardware. They generally perform better and more efficiently than hosted hypervisors. As well, because bare-metal hypervisors are isolated from the attack-prone operating system, they are more secure. 9 Pre-made VM Images In order to enable the on-demand quick creation of virtual servers, cloud providers can provide cloud consumers with a set of template virtual servers that are made available through pre- made VM images. E.g., Amazon Machine Images (AMIs), Google Cloud images o https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html o https://cloud.google.com/compute/docs/images 10 Cloud Virtual Infrastructure Manager The Virtual Infrastructure Manager (VIM) is often used in the cloud data center to coordinate the physical servers in relation to the creation of virtual server instances. This approach is used to apply a uniform implementation of the virtualization platform layer. The VIM provides a range of features for administering multiple hypervisors across physical servers. (see the next slide) 11 Hypervisor and VIM Virtual servers are created via the physical servers’ hypervisors and a central VIM. All three hypervisors are jointly controlled by the same VIM. 12 Hypervisor and VIM VIM can help do live migration of virtual servers among physical servers inside the same data center A virtual server capable of auto-scaling experiences an increase in its workload (1). The VIM decides that the virtual server cannot scale up because its underlying physical server host is being used by other virtual servers (2). 13 Hypervisor and VIM The VIM commands the hypervisor on the busy physical server to suspend execution of the virtual server (3). The VIM then commands the instantiation of the virtual server on the idle physical server. State information (such as dirty memory pages and processor registers) is synchronized via a shared cloud storage device (4). The VIM commands the hypervisor at the new physical server Virtual to resume servers are ablethe to virtual live server migrate processing (5). from one physical server to another 14 Logical Network Perimeter Mechanism The Logical Network Perimeter is a virtual network boundary that separates an environment from the rest of a communication network, creating a secure, isolated network space within a cloud infrastructure. This mechanism is established using a combination of software-defined networking (SDN) technologies, virtual networks, and security mechanisms o to ensure secure communication between internal resources and external systems. o to isolate the cloud-based IT resources from other cloud consumers and non-authorized users 15 Logical Network Perimeter Key Features: Isolation of Resources o VMs, databases, etc. Virtual Firewalls and Security Groups o filter network traffic Virtual Networks (VPNs and VLANs) o Segment, connections IP Address Management for secure communication In cloud environments, Virtual Private Cloud (VPC) in AWS or Virtual Network (VNet) in Azure represent implementations of logical network perimeters. 16 Cloud Storage Mechanism The cloud storage mechanism refers to the technologies and processes that allow data to be stored, managed, and accessed over the internet using remote servers hosted by cloud service provider. Instances of these storage devices can be virtualized, similar to how physical servers can spawn virtual servers. Cloud storage mechanism is one of the foundational building blocks of cloud environments. 17 Types of Cloud Storage Cloud storage mechanisms provide common types of data storage, such as: File storage – Organizes data in a hierarchical structure (files and directories). Block storage – Treats data as blocks, similar to a traditional hard drive. Object storage – Stores data as objects, where each object contains data, metadata, and a unique identifier. Data are organized as Web-based resources. Each is associated with a certain type of technical interface and a particular type of cloud storage device. 18 Cloud Storage Types Figure - Different cloud service consumers utilize different technologies to interface with virtualized cloud storage devices. POSIX: Portable Operating System Interface is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems CRUD: Create, read, update and delete 19 Cloud Usage Monitor Mechanism The Cloud Usage Monitor mechanism refers to the tools and processes that track, collect, and analyze data about the usage of cloud resources and services. Three types of monitors are commonly implemented in cloud environments Pay-per-use monitor SLA monitor Audit monitor There are also some specialized monitors. 20 Pay-per-use Monitor The pay-per-use monitor tracks the usage of cloud resources to calculate billing based on the "pay-as-you-go" pricing model. Some typical monitoring variables are: - request/response message quantity - service uptime - transmitted data volume - bandwidth consumption The data collected by the pay-per-use monitor is processed by a billing management system that calculates the fees. 21 Pay-per-use Monitor Figure - A cloud service consumer sends a request message to the cloud service (1). The pay-per-use monitor intercepts the message (2), forwards it to the cloud service (3a), and stores the usage information in accordance with its monitoring metrics (3b). The cloud service forwards the response messages back to the cloud service consumer to provide the requested service The figure illustrates a pay-per-use monitor that (4). transparently intercepts and analyzes runtime communication with a cloud service. 22 SLA Monitor The SLA (Service Level Agreement) monitor is used to specifically observe the runtime performance/quality of cloud services to ensure that they are fulfilling the contractual QoS requirements, as defined in SLAs. The data collected by the SLA monitor is processed by an SLA management system to be aggregated into SLA reporting metrics. 23 SLA Monitor Figure - The SLA monitor polls the cloud service by sending over polling request messages (MREQ1 to MREQN). The monitor receives polling response messages (MREP1 to MREPN) that report that the service was “up” at each polling cycle (1a). The SLA monitor stores the “up” time—time period of all polling cycles 1 to N—in the log database (1b). The SLA monitor polls the cloud service that sends polling request messages (MREQN+1 to MREQN+M). Polling response messages are not received (2a). The response messages continue to time out, so the SLA monitor stores the “down” time—time period of all polling cycles N+1 to N+M—in the log database (2b). The SLA monitor sends a polling request message (MREQN+M+1) and receives the polling response message (MREPN+M+1) (3a). The SLA24 Audit Monitor The audit monitor is used to track and log cloud activities for compliance, auditing, and security purpose. To check whether using the cloud IT resources is in compliance with legal or policy requirements. Figure in the next slide depicts an audit monitor that intercepts “login” requests and stores the requestor’s security credentials, as well as both failed and successful login attempts, in a log database for future audit reporting purposes. 25 Audit Monitor Figure - A cloud service consumer requests access to a cloud service by sending a login request message with security credentials (1). The audit monitor intercepts the message and forwards it to the authentication service (2). The authentication service processes the security credentials. A response message is generated for the cloud service consumer, in addition to the results from the login attempt (3). The audit monitor intercepts the response message and stores the entire collected login event details in the log database, as per the organization’s audit policy requirements (4). Access has been granted (5), and a response is sent26 Cloud Usage Monitor Examples: AWS Billing and Cost Management, Azure Cost Management and Billing, Google Cloud Billing AWS CloudWatch, Azure Monitor, Google Cloud Operations Suite AWS CloudTrail, Azure Activity Log, Google Cloud Audit Logs 27 Resource Replication Mechanism Resource replication, defined as the creation of multiple instances of the same IT resource, is typically performed to enhance availability, performance and fault tolerance. To implement resource replication, various technologies such as virtualization and containerization, are often used to replicate cloud-based IT resources. 28 Resource Replication Figure - The hypervisor accesses a stored virtual server image and replicates several instances. 29 Ready-Made Environment Mechanism The ready-made environment mechanism is a defining component of the PaaS cloud delivery model. PaaS represents a pre-defined, cloud-based platform comprised of a set of already installed IT resources, ready to be used and customized by a cloud consumer. These environments are utilized by cloud consumers to remotely develop and deploy their applications within a cloud. Typical ready-made environments include pre- installed IT resources, such as databases, libraries, and development tools. 30 Ready-Made Environment Figure - A cloud consumer accesses a ready-made environment. 31 Automated Scaling Mechanism The automated scaling mechanism triggers the dynamic allocation of cloud IT resources based on predefined scaling conditions automatically. The core component in this mechanism is the scaling listeners are deployed within the cloud to track workload status information. 32 Automated Scaling Figure 1, 2, 3 illustrate the process of automated scaling Figure 1 -Cloud service consumers are sending requests to a cloud service (1). The automated scaling listener monitors the cloud service to determine if predefined capacity thresholds are being exceeded (2). 33 Automated Scaling Figure 2 - The number of requests coming from cloud service consumers increases (3). The workload exceeds the performance thresholds. The automated scaling listener determines the next action based on a predefined scaling policy (4). If the cloud service implementation is deemed eligible for additional scaling, the automated scaling listener initiates the scaling process (5). 34 Automated Scaling Figure 3 - The automated scaling listener sends a signal to the resource replication mechanism (6), which creates more instances of the cloud service (7). Now that the increased workload has been accommodated, the automated scaling listener resumes monitoring and detracting and adding IT resources, as required (8). 35 Automated Scaling The scaling listeners can provide different types of responses to workload fluctuation conditions, such as: Automatically scaling IT resources out or in based on parameters previously defined by the cloud consumer. Automatic notification of the cloud consumer when workloads exceed current thresholds or fall below allocated resources. o This way, the cloud consumer can choose to adjust its current IT resource allocation. 36 Load Balancer Mechanism The load balancer mechanism is used to balance a workload across two or more IT resources to increase performance and capacity. The load balancer mechanisms can be: Hardware based or Software based The load balancer is typically located on the communication path between the IT resources generating the workload and the IT resources performing the workload processing. A load balancer is programmed or configured with a set of performance and QoS rules. 37 Load Balancer Figure - A load balancer implemented as a service agent transparently distributes incoming workload request messages across two redundant cloud service implementations, which in turn maximizes performance for the cloud service consumers. 38 Failover System Mechanism The failover system mechanism is used to increase the reliability and availability of IT resources. A failover system is configured to automatically switch over to a redundant or standby IT resource instance whenever the currently active IT resource becomes unavailable. Failover systems are commonly used for mission- critical programs and reusable services that can introduce a single point of failure for multiple applications. 39 Failover System A failover system can span more than one geographical region so that each location hosts one or more redundant implementations of the same IT resource. The resource replication mechanism is sometimes utilized by the failover system to provide redundant IT resource instances, which are actively monitored for the detection of errors and unavailability conditions. Failover systems come in two basic configurations: Active - Active Active - Passive 40 Failover System: Active-Active In an active – active configuration, redundant implementations of the IT resources actively serve the workload synchronously. Figure - The failover system monitors the operational status of Cloud Service A. 41 Failover System: Active-Active Load balancing among active instances is required. When a failure is detected, the failed instance is removed from the load balancing scheduler. Whichever IT resource remains operational when a failure is detected takes over the processing. Figure -When a failure is detected in one Cloud Service A implementation, the failover system commands the load balancer to switch over the workload to the redundant Cloud Service A 42 implementation. Failover System: Active-Active Figure - The failed Cloud Service A implementation is recovered or replicated into an operational cloud service. The failover system now commands the load balancer to distribute the workload again. 43 Failover System: Active-Passive In an active-passive configuration, a standby or inactive implementation is activated to take over the processing from the IT resource that becomes unavailable, and the corresponding workload is redirected to the instance taking over the operation (Figures in the next slide) 44 Failover System: Active-Passive Figure - The failover system monitors the operational status of Cloud Service A. The Cloud Service A implementation acting as the active instance is receiving cloud service consumer requests. 45 Failover System: Active-Passive Figure - The Cloud Service A implementation acting as the active instance encounters a failure that is detected by the failover system, which subsequently activates the standby Cloud Service A implementation and redirects the workload toward it. The newly invoked Cloud Service A implementation now assumes the role of active instance. 46 Failover System: Active-Passive Figure - The failed Cloud Service A implementation is recovered or replicated an operational cloud service, and is now positioned as the standby instance, while the previously invoked Cloud Service A continues to serve as the active instance. 47 Resource Cluster Mechanism Cloud-based IT resources can be logically combined into groups to improve their allocation and use. The resource cluster mechanism is used to group multiple IT resource instances so that they can be operated as single IT resource instance. This increases the combined capacity and availability of the clustered IT resources. 48 Resource Cluster Mechanism A cluster management platform is usually responsible for these activities. running as distributed middleware implements a coordination function that allows clustered IT resources to appear as one IT resource. Resource cluster mechanism relies on high-speed dedicated network connections between IT resource instances to communicate about workload distribution, task scheduling, data sharing, and system synchronization. 49 Resource Cluster Common resource cluster types include: Server Cluster – o Physical or virtual servers are clustered to increase performance and availability. o Hypervisors running on different physical servers can be configured to share virtual server execution state in order to establish clustered virtual servers. 50 Resource Cluster Storage Cluster – o Designed to improve data availability, this high- availability resource cluster has a synchronization feature that maintains the consistency of data being stored at different storage devices used in the cluster. 51 Connect the clustered storage and the clustered servers. 52 Multi-Device Broker Mechanism An individual cloud service may need to be accessed by a range of cloud service consumers differentiated by their hosting hardware devices and/or communication requirements. The multi-device broker mechanism is used to facilitate runtime data transformation so as to make a cloud service accessible to a wider range of cloud service consumer programs and devices. To overcome incompatibilities between a cloud service and a disparate cloud service consumer. 53 Multi-Device Broker Figure - A multi-device broker contains the mapping logic necessary to transform data exchanges between a cloud service and different types of cloud service consumer devices. 54 Section II – Cloud Security 55 Cloud Security Incidents A more recent report Sources: says that more than https://www.immuniweb.com/blog/top-10-cloud-security-incidents-in-2022 80% of organizations.html have experienced a cloud-related security https://www.helpnetsecurity.com/2020/07/09/public-cloud-security-inciden t/ incident over the past 12 month. https://www.helpnetsecurity.com/2020/06/03/cloud-data-breach/ 56 Cloud Security Cloud computing security or, more simply, cloud security, refers to the policies, technologies, best practices, and controls utilized to secure data, applications, services, and infrastructure in cloud environments. It is a sub-domain of computer security, and, more broadly, information security or cybersecurity. The next a few slides define fundamental security terms and concepts relevant to cloud computing. 57 Cloud Security 4 basic concepts related to cloud security 58 Confidentiality Confidentiality is the characteristic of something being made accessible only to authorized parties. 59 Integrity Integrity is the characteristic of not having been altered by an unauthorized party. An important issue that concerns data integrity in the cloud is whether a cloud consumer can be guaranteed that the data it transmits to a cloud service matches the data received by that cloud service. 61 Integrity Figure - The message sent by the cloud consumer to the cloud service is considered to have integrity if it has not been altered. 62 Availability Availability is the characteristic of being accessible and usable during a specified time period. In typical cloud environments, the availability of cloud services can be a responsibility that is shared by the cloud provider and the cloud carrier. 63 Availability Availability (A) can be calculated using the equation: 64 Availability Availability Total downtime per year 99% (two nines) 3.6 days 99.9% (three nines) 8 hours 46 minutes 99.99% (four nines) 52 minutes 36 seconds 99.999% (five nines) 5 minutes 15 seconds 99.9999% (six 32 seconds nines) 65 Authenticity Authenticity is the characteristic of something being genuine and being able to be verified and trusted. Authentication is the process or action of verifying a user or process before allowing access to a system or resources. 66 Challenge/Discussion Calculate availability 1. What is the availability value of a system/service if its total downtime in one year (365 days) is 10 hours? 2. To reach 5-9s (99.999%) availability, what is the total allowable downtime (in seconds) of the service in one year? 67 Challenge/Discussion The following figure explains the cloud security concept of _____________ A. Integrity B. Confidentiality C. Authenticity D. Availability 68 Threat Agents A threat agent is an entity that exploits a vulnerability and poses a threat. It is capable of carrying out an attack. Cloud security threats can originate either internally or externally, from humans or software programs. Types of threat agents in cloud environment: Anonymous attacker Malicious tenant Malicious insider 69 Threat Agents: Anonymous Attacker An anonymous attacker is a non-trusted attacker without permission in the cloud. It typically launches network-level attacks through public networks. Anonymous attackers often resort to committing acts like intercepting messages, bypassing user accounts or stealing user credentials. When anonymous attackers have limited information on security policies and mechanisms, it can inhibit their ability to formulate effective attacks. 70 Threat Agents: Malicious Tenant A malicious tenant is a cloud consumer who attempts to exploit legitimate credentials to targe cloud providers and other cloud consumers. Malicious tenants can use cloud-based IT resources for a wide range of exploitations, including: the hacking of weak authentication processes the breaking of encryption the spamming of email accounts the launching of DoS campaigns. 71 Threat Agents: Malicious Tenant Because they are actually the cloud consumers, Also known as Trusted attackers Unlike anonymous attackers, malicious tenants usually launch their attacks from within a cloud by abusing legitimate credentials. 72 Threat Agents: Malicious Insider Malicious insiders are human threat agents acting on behalf of or in relation to the cloud provider. They are typically current or former employees or third parties with access to the cloud provider’s premises. This type of threat agent carries tremendous damage potential As the malicious insider may have administrative privileges for accessing cloud IT resources. 73 Common Cloud Threats and Attacks The common threats and attacks in cloud environments are: Misconfiguration of Cloud Services Insufficient Authorization and Unauthorized Access Insecure Interfaces and APIs Cloud Malware Injection Attacks Traffic Eavesdropping Denial of Services 74 Common Cloud Threats and Attacks A survey conducted in 2022 to 775 cyber-security professionals had to say about the current state of cloud security and the biggest cloud security threat: Source: https://pages.checkpoint.com/2022-cloud-security-report.ht ml 75 Misconfiguration of Cloud Services Although the cloud has been around for over a decade, it’s still a fairly new technology that IT professionals are still learning how to implement properly. Security misconfiguration refers to the failure to properly configure cloud computing resources and infrastructure to protect against cyber threats. 76 Misconfiguration of Cloud Services Cloud misconfiguration is one of the biggest cloud security threats. Examples: One real-life example is the Alteryx breach in 2017, during which the online marketing firm exposed data from millions of households by misconfiguring an AWS S3 Bucket. In 2022, McGraw Hill was informed that 22 TB of data, including student grades and personal information, had been exposed since 2015 because of a misconfigured AWS S3 bucket. This misconfiguration meant that around 117 million files could have been accessed by any threat actor with a simple web browser. Source: https://www.wiz.io/academy/common-cloud-vulnerabilities 77 Misconfiguration of Cloud Services Misconfiguration is mostly due to human negligence: For example: Using Default Account and Password (publicly known) Excessive/Unnecessary Access Unencrypted Storage / Unsecured backup Missing Updates and Patches Unrestricted ports, both inbound and outbound. 78 Misconfiguration of Cloud Services Misconfiguration is due to human negligence, so it is also preventable: Deploy MFA (multi-factor authentication) to reduce the security risk of unauthorized access due to credential compromise Apply the Principle of Least Privilege (PoLP) for both machines and humans for access to all systems Automate security and configuration checks (tools help) Follow the correct configuration procedures and best practices 79 Insufficient Authorization Insufficient authorization is a security vulnerability that can allow unauthorized access, data breaches, and other security incidents, leading to potential harm, data loss, or legal liability. This is due to a lack of proper authentication or authorization mechanisms. The insufficient authorization attack occurs when access is granted to an attacker erroneously or too broadly, resulting in the attacker getting access to cloud IT resources that are normally protected. 80 Insufficient Authorization A variation of this attack known as weak authentication, can result when weak passwords or shared accounts are used to protect the IT resources. Within the cloud environments, these types of attacks can lead to significant impacts depending on the range of IT resources and the range of access to those IT resources the attacker gains. 81 Insufficient Authorization Figure - An attacker has cracked a weak password used by Cloud Service Consumer A. As a result, a malicious cloud service consumer is designed to pose as Consumer A in order to gain access to the cloud- based virtual server. 82 Insufficient Authorization Example: The Broward Health public health system has disclosed a large-scale data breach incident impacting 1,357,879 individuals. An investigation revealed that the threat actors gained access to patient's personal medical information. Source: https://www.wiz.io/academy/common-cloud-vulnerabilities To mitigate insufficient authorization /unauthorized access: Use biometric or other multi-factor authentication (MFA) methods Implement a strong password policy Conduct regular access audits Deploy a detection and response tool Implement least privilege access and other best practices to cloud resources 83 Insecure APIs Organizations/businesses typically depend on Application Programming Interfaces (APIs) for mission-critical applications and processes. APIs can contain security flaws that must be addressed by each organization according to its security needs. APIs are just as susceptible to a breach as other weaknesses on company servers and networks. 84 Insecure APIs Due to the growing popularity of API usage, securing APIs has become paramount. Insecure APIs is a leading cause of incidents and data breaches: Example: The attack vector for the Optus data breach in 2022 was an unsecured and publicly available API that didn't require any authentication protocols to access. The breach compromised the sensitive records of around 10 million customers. Source: https://www.wiz.io/academy/common- cloud-vulnerabilities 85 Insecure APIs Key Principles for Proper API Usage: The attack surface provided by APIs should be tracked, configured, and secured. Traditional controls, change management policies, and approaches need to be updated to keep pace with cloud- based API growth. Companies should embrace automation and employ technologies that monitor continuously for anomalous API traffic and remediate problems in near real-time. https://cloudsecurityalliance.org/blog/2022/07/30 /top-threat-2-to-cloud-computing-insecure-interfa ces-and-apis/ 86 Cloud Malware Injection Attacks Cloud malware injection attacks are a type of cyber attack that involves injecting malicious software, such as viruses or ransomware, into cloud computing resources. As a result, it creates malicious service implementation modules or virtual machine instances related to either SaaS, PaaS, or IaaS. 87 Cloud Malware Injection Attacks Examples: A cloud malware, Cloud Snooper, infected cloud infrastructure servers hosted in the AWS cloud (EC2) - reported by Sophos in 2020. o https://www.darkreading.com/cloud/-cloud-snooper-attack-circumvents- aws-firewall-controls Microsoft Azure VMs Hijacked in Cloud Cyberattack in 2023 o https://www.darkreading.com/cloud/microsoft-azure-vms-highjacked-in- cloud-cyberattack To prevent cloud malware injection attack: Abide by a zero-trust model o “never trust, always verify” Implement a malware threat detection solution Segment your network when suffering from a malware attack 88 Traffic Eavesdropping Traffic eavesdropping occurs when data being transferred to or within a cloud (usually from the consumer to the cloud provider) is intercepted by a malicious service agent for illegitimate information gathering purposes. The aim of this attack is to directly compromise the confidentiality of the data and, possibly, the confidentiality of the relationship between the cloud consumer and cloud provider. 89 Traffic Eavesdropping Because of the passive nature of this attack, it can more easily go undetected for an extended period of time. Detecting eavesdropping attacks is challenging. A proactive approach is therefore critical for eavesdropping attack prevention: Ensure that your cloud resources leverage some means of authentication for inbound network traffic Segment networks Inspect malicious links Monitor networks and use firewalls 90 Traffic Eavesdropping Figure - An externally positioned malicious service agent carries out a traffic eavesdropping attack by intercepting a message sent by the cloud service consumer to the cloud service. The service agent makes an unauthorized copy of the message before it is sent along its original path to the cloud service. 91 Denial of Service The objective of the denial of service (DoS) attack is to overload IT resources to the point where they cannot function properly. Distributed Denial-of-Service (DDoS) This form of attack is commonly launched in one of the following ways: The workload on cloud services is artificially increased with repeated requests, each of which is designed to consume excessive memory and processing resources Application-layer attacks The network is overloaded with traffic to reduce its responsiveness and cripple its performance. 92 Denial of Service Figure - Cloud Service Consumer A sends multiple messages to a cloud service (not shown) hosted on Virtual Server A. This overloads the capacity of the underlying physical server, which causes outages with Virtual Servers A and B. As a result, legitimate cloud service consumers, such as Cloud Service Consumer B, become unable to communicate with any cloud services 93 hosted on Virtual Servers Denial of Service Example AWS was hit by a gigantic DDoS attack in February 2020. The attack lasted for three days. o https://www.a10networks.com/blog/5-most-famous-dd os-attacks/ To prevent DoS attacks on cloud services: Implement sound network monitoring practices Explore cloud-based DDoS protection solutions Be ready with a DDoS response battle plan Ensure sufficient server capacity 94 Shared Security Responsibility The cloud security responsibility is shared between the Cloud Provider and the Customer. 95 Shared Security Responsibility Cloud Service Provider Service Customer Global infrastructure Data encryption (Regions, Availability zones, Operating systems Edge locations) configuration Hardware Network configuration Networking Firewall configuration Database Platform management Storage Identity and access Compute management Software Customer data 96 Cloud Security Alliance The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help create a secure cloud computing environment. https://cloudsecurityalliance.org/ 97 Cloud Security Alliance Categories of SECaaS defined by CSA Category 1 - Identity and Access Management Category 2 - Data Loss Prevention Category 3 - Web Security Category 4 - Email Security Category 5 - Security Assessments Category 6 - Intrusion Management Category 7 - Security Information and Event Management Category 8 - Encryption https://cloudsecurityalliance.org/press-releases/2012/08/07/input- on-secaas-implementation-guidance/ 98 Challenge/Discussion Search for and list a few examples of SECaaS. 99 Summary of Key Points Cloud mechanisms are building blocks of cloud environments A virtual server is a form of virtualization software that emulates a server. Logical network perimeter mechanism can be implemented to Isolate IT resources in a cloud from others. Cloud storage mechanism represents storage devices that are designed specifically for cloud-based provisioning. Cloud usage monitor mechanism is a lightweight and autonomous software program collecting IT resource usage data Resource replication mechanism is typically performed when an IT resource’s availability and performance need to be enhanced. The ready-made environment mechanism is a defining 100 Summary of Key Points (cont.) The automated scaling mechanism is to do quick resource scaling in an automated way. The load balancer mechanism is used to balance a workload across two or more IT resources. A failover system can switch over to a redundant or standby IT resource instance whenever the active IT resource becomes unavailable. There are active-active and active-passive failover systems. The resource cluster mechanism groups multiple IT resource instances so that they can be operated as single IT resource instance. The multi-device broker facilitates runtime data transformation so as to make a cloud service accessible to a wide range of devices. 101 Summary of Key Points (cont.) Confidentiality, integrity, authenticity, and availability are characteristics that can be associated with measuring security. An anonymous attacker is a non-trusted threat agent that usually attempts attacks from outside of a cloud’s boundary A malicious tenant (trusted attacker) exists as an authorized cloud service consumer with legitimate credentials that uses to exploit access to cloud-based IT resources. A malicious insider is a human that attempts to abuse access privileges to cloud premises. 102 Summary of Key Points (cont.) Cloud misconfigurations and insecure APIs can place threats on cloud resources. The insufficient authorization attack occurs when access is granted to an attacker erroneously or too broadly, or when weak passwords are used. Malware can be used and injected into cloud resources. Traffic eavesdropping attacks are usually carried out by malicious service agents that intercept network traffic A denial of service attack occurs when a targeted IT resource is overloaded with requests in an attempt to cripple or render it unavailable. The cloud security responsibility is shared between the Cloud Service Provide and the Customer. The Cloud Security Alliance (CSA) leads the industry in 103