Cloud Computing (CS574) PDF

Summary

This document provides an overview of Cloud Computing (CS574) concepts and includes discussions about Software as a Service (SaaS), security concerns, and web service applications. The presentation covers various aspects of cloud computing infrastructure, data security, and different functionalities. It's intended for use by university students.

Full Transcript

RAJIV GANDHI INSTITUTE OF PETROLEUM
TECHNOLOGY, JAIS, AMETHI
Department of Computer Science and Engineering

B.Tech. 3rd Year (CSE) + B.Tech Final Year (PE+CH)
Cloud Computing (CS574)
By
Dr. Kalka Dubey
Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 1
 UNIT-IV (Software as a Service)
Introduction of SaaS

Security in Cloud Environment

Web Service Applications and Web Portal

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 2
Cloud Services

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 3
Cloud Layer

Platform
Software
(as a Service)
(as a Service)

manage
Applications

You
Applications
Data
Data
Runtime
Runtime
Middleware
Middleware

Managed by
vendor
O/S

Managed by
O/S

vendor
Virtualization
Virtualization
Servers
Servers
Storage
Storage
Networking
Networking

4
Introduction to SaaS

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 5
Software as a Service (SaaS)
Definition: Software as a Service (SaaS) is a software delivery model in
which software and its associated data are hosted centrally and accessed
using a thin client, usually a web browser over the internet. [Wikipedia]

SaaS is a method for delivering software that provides remote access to the
software as a web-based service.

The software service can be purchased with a monthly fee and pay as you
go.

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 6
Software as a Service (SaaS)
SaaS is a model of software deployment where an application is
hosted as a service provided to customers across the Internet.

SaaS alleviates the burden of software maintenance/support
but users relinquish control over software versions and requirements.

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 7
Applicability of SAAS
Enterprise Software application: Sharing of data between internal and external users e.g.
: Salesforce CRM application.

Single user Software application: Runs on single-user computer and serves 1 user at a
time e.g. : Microsoft office.

Business Utility SaaS - Applications like Salesforce automation are used by businesses
and individuals for managing and collecting data, streamlining collaborative processes and
providing actionable analysis.

Social Networking SaaS - Applications like Facebook are used by individuals for
networking and sharing information, photos, videos, etc.

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 8
Consideration for SAAS Application development

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 9
Important factors for good design of SAAS model
Three distinct points that separate a well-design from a poorly designed
SAAS application

Scalability

Multi-tenant efficient

Configurable

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 10
Scalability
Maximizing concurrency, and efficient use of resources

Optimizing locking duration

Statelessness

Sharing pooled resources such as threads and network connections

Caching reference data

Partitioning large databases

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 11
Multi-tenancy
Important architectural shift from designing isolated, single-tenant
applications

One application instance should accommodate users from multiple other companies at
the same time while providing transparency

This requires an architecture that maximizes the sharing of resources efficiently across
tenants

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 12
Configurable
A single application instance on a single server has to accommodate users
from several different companies

Traditionally customizing an application would mean changes in the code.

Each customer must use metadata to configure the way the application
appears and behaves for its users.

Customers configuring applications must be simple and easy without any
extra development or operation costs

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 13
SAAS service providers

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 14
Salesforce.com
Salesforce CRM provides a complete solution for that includes feature-rich
solutions for marketing, sales, services, partner management and community
management.

CRM is originally software for managing customer interaction, such as
scheduling tasks, emailing, texting, and many more.

Salesforce grew into a cloud software solution and acquired several other
companies for Paas(Platform as a Service) and Saas (Software as a Service).

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 15
Salesforce services

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 16
Advantages of SaaS
Compared to traditional applications, SaaS applications are less clunky. They do not
require users to install/uninstall binary code on their machines.

Due to the delivery nature of Sass through the internet, SaaS applications are able to
run on a wide variety of devices.

Allows for better collaboration between teams since the data is stored in a central
location.

Change in SaaS applications is much faster.

SaaS favors an Agile development life cycle.

Software changes and frequent and on-demand.

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 17
Advantages of SaaS
Easy to use – Most SaaS applications do not require more than a web
browser to run

Cheap- The pay as you go pricing model of SaaS makes it affordable to
small businesses and individuals.

Applications are less risk zone to data loss since data is being stored in
the cloud.

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 18
Disadvantages of SaaS
Privacy

Security

Reliability

Robustness

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 19
Security in Cloud
Environment

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 20
Causes of Problems Associated with Cloud
Most security problems stem from:

Loss of control

Lack of trust (mechanisms)

Multi-tenancy

These problems exist mainly in 3rd party management models
Self-managed clouds still have security issues, but not related to above

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 21
Loss of Control in the Cloud
Consumer’s loss of control
Data, applications, resources are located with provider

User identity management is handled by the cloud

User access control rules, security policies and enforcement are managed by the
cloud provider

Consumer relies on provider to ensure
Data security and privacy
Resource availability
Monitoring and repairing of services/resources

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 22
Lack of Trust in the Cloud
A brief deviation from the talk
(But still related)
Trusting a third party requires taking risks

Defining trust and risk
Opposite sides of the same coin (J. Camp)
People only trust when it pays (Economist’s view)
Need for trust arises only in risky situations

Third-party management schemes
Hard to balance trust and risk

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 23
Multi-tenancy Issues in the Cloud
The conflict between tenants’ opposing goals
Tenants share a pool of resources and have opposing goals

How does multi-tenancy deal with conflict of interest?
Can tenants get along together and ‘play nicely’ ?
If they can’t, can we isolate them?

How to provide separation between tenants?

Cloud Computing brings new threats
Multiple independent users share the same physical infrastructure
Thus an attacker can legitimately be in the same physical machine as the target

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 24
Taxonomy of Fear
Confidentiality
Fear of loss of control over data
Will the sensitive data stored on a cloud remain confidential?
Will cloud compromises leak confidential client data
Will the cloud provider itself be honest and won’t peek into the data?

Integrity
How do I know that the cloud provider is doing the computations correctly?
How do I ensure that the cloud provider really stored my data without tampering
with it?

25 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
Taxonomy of Fear (cont.)
Availability
Will critical systems go down at the client, if the provider is attacked in a
Denial of Service attack?
What happens if a cloud provider goes out of business?
Would cloud scale well enough?
Often-voiced concern
Although cloud providers argue their downtime compares well with cloud user’s own data
centers

26 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
Taxonomy of Fear (cont.)
Privacy issues raised via massive data mining
Cloud now stores data from a lot of clients, and can run data mining algorithms to get
large amounts of information on clients

Increased attack surface
Entity outside the organization now stores and computes data, and so
Attackers can now target the communication link between cloud provider and client
Cloud provider employees can be phished

27 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
Taxonomy of Fear (cont.)
Auditability and forensics (out of control of data)
Difficult to audit data held outside organization in a cloud
Forensics also made difficult since now clients don’t maintain data locally

Legal quagmire and transitive trust issues
Who is responsible for complying with regulations?
If cloud provider subcontracts to third party clouds, will the data still be secure?

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 28
Threat Model
A threat model helps in analyzing a security problem, design mitigation
strategies, and evaluating solutions

Steps:
Identify attackers, assets, threats, and other components
Rank the threats
Choose mitigation strategies
Build solutions based on the strategies

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 29
Threat Model
Basic components
Attacker modeling
Choose what attacker to consider
insider vs. outsider?
single vs. collaborator?
Attacker motivation and capabilities

Attacker goals

Vulnerabilities / threats

30 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
What is the issue?
The core issue here is the levels of trust
Many cloud computing providers trust their customers

Each customer is physically commingling its data with data from anybody else
using the cloud while logically and virtually you have your own space

The way that the cloud provider implements security is typically focused on
they fact that those outside of their cloud are evil, and those inside are good.

31 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
Attacker Capability: Malicious Insiders
At client
Learn passwords/authentication information
Gain control of the VMs

At cloud provider
Log client communication
Can read unencrypted data
Can possibly peek into VMs, or make copies of VMs
Can monitor network communication, application patterns
Why?
Gain information about client data
Gain information on client behavior
Sell the information or use itself

From www.cs.jhu.edu/~ragib/sp10/cs412

32 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
Attacker Capability: Outside attacker
What?
Listen to network traffic (passive)
Insert malicious traffic (active)
Probe cloud structure (active)
Launch DoS

Goal?
Intrusion
Network analysis
Man in the middle
Cartography

33 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
Challenges for the attacker
How to find out where the target is located?

How to be co-located with the target in the same (physical) machine?

How to gather information about the target?

34 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
Infrastructure Security
Network Level

Host Level

Application Level

35 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
The Network Level
Ensuring confidentiality and integrity of your organization’s data-in-transit
to and from your public cloud provider

Ensuring proper access control (authentication, authorization, and auditing)
to whatever resources you are using at your public cloud provider

Ensuring availability of the Internet-facing resources in a public cloud that
are being used by your organization, or have been assigned to your
organization by your public cloud providers

Replacing the established model of network zones and tiers with domains

36 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
The Host Level
SaaS/PaaS
Both the PaaS and SaaS platforms abstract and hide the host OS from end users

Host security responsibilities are transferred to the CSP (Cloud Service Provider)
You do not have to worry about protecting hosts

However, as a customer, you still own the risk of managing information hosted in
the cloud services.

37 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
The Application Level
DoS

EDoS(Economic Denial of Sustainability)
An attack against the billing model that underlies the cost of providing a service with the
goal of bankrupting the service itself.

End user security

Who is responsible for Web application security in the cloud?

SaaS/PaaS/IaaS application security

Customer-deployed application security

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 38
Data Security and Storage
Several aspects of data security, including:
Data-in-transit
Confidentiality + integrity using secured protocol
Confidentiality with non-secured protocol and encryption

Data-at-rest
Generally, not encrypted , since data is commingled with other users’ data
Encryption if it is not associated with applications?
But how about indexing and searching?
Then homomorphic encryption vs. predicate encryption?

Processing of data, including multitenancy
For any application to process data, not encrypted

39 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
Data Security and Storage (cont.)
Data lineage
Knowing when and where the data was located in cloud is important for
audit/compliance purposes
e.g., Amazon AWS
Store
Process
Restore
Data provenance
Computational accuracy (as well as data integrity)
E.g., financial calculation: sum ((((2*3)*4)/6) -2) = $2.00 ?
Correct : assuming US dollar
How about dollars of different countries?
Correct exchange rate?

40 Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi
Third-Party Cloud Computing
Like Amazon’s EC2, Microsoft’s Azure

Allow users to instantiate Virtual Machines
Allow users to purchase required quantity when required
Allow service providers to maximize the utilization of sunk capital
costs
Confidentiality is very important

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 41
New Vulnerabilities & Attacks

Threats arise from other consumers

Due to the subtleties of how physical resources can be transparently shared
between VMs

Such attacks are based on placement and extraction

A customer VM and its adversary can be assigned to the same physical server

Adversary can penetrate the VM and violate customer confidentiality
Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 42
More on attacks…
Collaborative attacks

Mapping of internal cloud infrastructure

Identifying likely residence of a target VM

Instantiating new VMs until one gets co-resident with the target

Cross-VM side-channel attacks

Extract information from target VM on the same machine

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 43
Web Service Applications and
Web Portal

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 44
Web Services

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 45
Definition
Many definitions
“…technologies that allow for making connections”
“a software system designed to support interoperable m2m interaction over the
network”
“..a service offered by an electronic device to another electronic device,
communicating with each other via WWW”

Web services may use SOAP protocol over http (or ftp, smtp,..) for their communication

http is utilized for m2m communication and for transferring information in XML or JSON

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 46
Service
A function that is well defined, self contained, does not depend on the
context or state of other services, can be accessed remotely and updated
independently.

Services carry out a function, such as producing data, validating a
customer, or retrieve a credit card statement.

Web services: connection technology of SOA.

Most APIs in cloud computing are implemented as SOAP or RESTful
Web services

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 47
Web Services vs Websites
A Web site is typically intended for human consumption
(human-to-computer interaction), whereas web services are typically
intended for computer-to-computer interaction.

A Web service may have GUI or API, a Web site may implement Web
Services in the background

Paypal has both GUI and implements web services (e.g. for payments, use
management etc.)

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 48
A Service example
Basic service oriented architecture: The service provider returns a
response message to the service consumer (client).

Simple data, message passing

The request and subsequent response connections are defined in some
way that is understandable to both the service consumer and service
provider

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 49
End of Unit 4

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 50
THANKS…..

Dr. Kalka Dubey Assistant Professor RGIPT Jais Amethi 51