1

Cloud Computing Security

Ritesh Kotekar Udupa

Topics to be discussed• What is a cloud?• Advantages of the cloud computing• Service & Deployment models• Levels of Security• Security Concerns• Identity Management• InterCloud Identity Management Infrastructure• Summary

2

3

What is a cloud?Virtualized pool: Dynamically scalable shared resources accessed over a network• Resources: Storage, Computing, services, etc.• Shared internally or with other customers• Only pay for what you use

4

Advantages of the cloud computing Reduced Costs Efficient Resource Sharing Easy Expansion More Mobility Consumption based costs Instant software updates Contribution to Green computing- Reducing the consumption of electricity - Reducing emissions that damage the environment.

5

Service Model• SaaS (Software as a Service)• PaaS (Platform as a Service)• IaaS (Infrastructure as a Service)

6

Service Model

• Software as a service

SaaS

• Platform as a service

PaaS

• Infrastructure as a service

IaaS

•Productivity and collaboration apps Eg: Google Apps

•CRM apps Eg: Impel CRM, Salesforce.com, Microsoft Dynamics.

•Cloud based Storage and Sharing services Eg: Dropbox, Skydrive, Amazon S3, Google Docs.

7

Service Model

• Software as a service

SaaS

• Platform as a service

PaaS

• Infrastructure as a service

IaaS

Individual Development Platforms GAE - Individual Java, Python developers. Microsoft Windows Azure - ASP.Net (C#,

VB.Net) Amazon’s Beanstalk - for Java developers Heroku - Facebook apps creation. PHP Fog and CloudControl - PHP.

Multi-language application platform DotCloud.

8

Service Model

• Software as a service

SaaS

• Platform as a service

PaaS

• Infrastructure as a service

IaaS

Virtualization Eg: VMware, VirtualPC, VirtualBox, Amazon EC2 (Elastic Compute Cloud) - Execution on a virtual computer (instance). - Configuration of CPU, memory & storage.

Cloud Infrastructure Eg: Servers, Storage, routers etc

9

10

Deployment ModelsPublic CloudPrivate CloudCommunity CloudHybrid Cloud

11

Levels of Security[7] Facility Level Network Level OS & Application Level Data Level Lists

Physical Controls Access Controls Video Surveillance Background Checks

Multilayer Firewalls Intrusion Detection 128 bit TLS Encryption Dual Factor Authentication

ADFS & SAML Access Control & monitoring (AD) Antimalware & Anti Spam Patch & Configuration Management Secure Engineering

Access Control Lists User Level Access File/Data Integrity

12

Security Concerns [1]1. Confidentiality2. Integrity3. Availability4. Privacy5. Authentication6. Control7. Audit

13

Confidentiality in the cloud [1] Virtual Physical Isolation Encrypted Storage

14

Availability [1]

Strategies Hardening Redundancy

Annual Uptime Percentage QoS Guarantee

15

Authentication1. Every website/app needs credentials• Username/Email• Password

Resulting Problems• So many apps so many passwords!!• Indentity Scattered• Trust

Is there a solution?

16

OpenID - Identity Management [5]• Sharing single identity with different consumers• Decentralized• Some OpenID Providers

Google, Facebook, IBM, MySpace, VeriSign, Yahoo• End User Privacy is not presently explicitly addressed

17

Single Sign-On – Identity Management [4]

• Authentication done only once• Access to Multiple Applications• Switch applications during a particular session

Eg: Google

18

Single Sign On - Flow Chart

19

SAML(Security Assertion Markup Language) [2],[6]

• IdM using IdP/SP Model End user User Agent Service Provider(SP) Identity Provider(IdP)

20

SAML (Security Assertion Markup Language) [2]

21

User Tracking[4]• Authentication• Timeout check• Recognition of a user

22

InterCloud Identity Management Infrastructure[2]

23

Trust relationship establishment

24

SOAP Message of IdP XSOAP – Simple Object Access Protocol

25

Possible Attacks & Solutions[4]Man in the Middle Attack (DNS Spoofing)

Solutions• SSL/TLS• Signature and Encryption of SOAP Messages

26

Possible Attacks & Solutions[4]Message Modification

Solutions• Inline Approach

27

Possible Attacks & Solutions[4]• Inline Approach

28

SOAP Account Info · Number of children of Envelope is 2· Number of Header is 2· Number of Signed Elements is 3· Immediate Predecessor of the 1st Signed Element is Envelope.· Sibling Elements of the 1st Signed Element is Header.

29

Summary

Cloud Definition Advantages of Cloud Computing Service models (SaaS, PaaS, Iaas) Deployment Models (Public, Private, Hybrid, Community) Levels of security (facility, Network, OS & Appln, Data) Security and Privacy concerns Identity Management ICIMI (InterCloud IdM Infrastructure)

30

References[1] Minqi Zhou; Rong Zhang; Wei Xie; Weining Qian; Aoying Zhou; , "Security and Privacy in Cloud

Computing: A Survey," Semantics Knowledge and Grid (SKG), 2010 Sixth International Conference on , vol., no., pp.105-112, 1-3 Nov. 2010doi: 10.1109/SKG.2010.19URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5663489&isnumber=5663480

[2] Celesti, A.; Tusa, F.; Villari, M.; Puliafito, A.; , "Security and Cloud Computing: InterCloud Identity Management Infrastructure," Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE), 2010 19th IEEE International Workshop on , vol., no., pp.263-265, 28-30 June 2010doi: 10.1109/WETICE.2010.49URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5541971&isnumber=5541771

[3] Jianfeng Yang; Zhibin Chen; , "Cloud Computing Research and Security Issues," Computational Intelligence and Software Engineering (CiSE), 2010 International Conference on , vol., no., pp.1-3, 10-12 Dec. 2010doi: 10.1109/CISE.2010.5677076URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5677076&isnumber=5676710

[4] Jensen, M.; Schwenk, J.; Gruschka, N.; Iacono, L.L.; , "On Technical Security Issues in Cloud Computing," Cloud Computing, 2009. CLOUD '09. IEEE International Conference on , vol., no., pp.109-116, 21-25 Sept. 2009doi: 10.1109/CLOUD.2009.60URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5284165&isnumber=5283545

31

References

[5] http://www.slideshare.net/rmetzler/identity-on-the-web-openid-vs-oauth[6] http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language[7] http://www.youtube.com/watch?v=9do6ig6eg3E[8]

https://www.owasp.org/images/4/4b/AnInlineSOAPValidationApproach-MohammadAshiqurRahaman.pdf

[9] “Security Guidance for critical Areas of Focus in Cloud Computing, V2.1,” December 2009, Cloud Security Alliance, http://www.cloudsecurityalliance.org/csaguide.pdf

32