Overview
Definition
Characteristics
Advantages & Drawbacks
Security Problem
Security Risks
Security Threats
Cloud
Computing
Cloud
Security
Architecture
Hypervisor
VMVM
Hypervisor
VMVM
Hypervisor
VMVM
Cloud Service APIDeployer
DevOps
Private Network
Cloud operations
Cloud service provider
Customer Enterprise EnterpriseAttacker
Internet Private Network
DC ops
Advantages and Disadvantages ?
Greater efficiency
Increased flexibility
Scalability
A way to deal with
lack of technical
expertise
Lower computing
costs
Security concerns
Privacy
International Issues
Loss of local control
Requires constant
high-speed Internet
access
Security Problem
• In 2007, Salesforce.com leaked customer contact lists after anemployee revealed the list to a phisher, and in turn allowed scammersto target phishing attacks against Salesforce customers.
• Google revealed in June 2011 that hackers from China stolepasswords and attempted to break into email accounts to stealinformation.
• In April 2011, Sony was involved in a massive security blunder thatpotentially gave away 100 million credit card numbers. Hackersclaimed to have stolen millions of credit card numbers from Sony’sPlayStation Network.
• Hotmail and Yahoo Mail users were also targeted in phishing attacks.The attacks involved a user either clicking a malicious link in the emailor even viewing the email itself which would then run malicious codeand attempt to compromise the user’s account.
What are the Major Threats in Cloud?
Data Breaches
Insecure APIs
Data Loss
Data Loss
Denial of Service
Account/Service Hijacking
Malicious Insider
Shared technology
Shared Technology Issues
Hypervisor
VMVM
Hypervisor
VMVM
Hypervisor
VMVM
Customer A Customer BAttacker
VMVM VMVM
Malicious Insider
Hypervisor
VMVM
Hypervisor
VMVM
Hypervisor
VMVM
Cloud Service APIDeployer
DevOps
Private Network
Cloud operations
Cloud service provider
Cloud Service API
Denial of Service
Hypervisor
VMVM
Hypervisor
VMVM
Hypervisor
VMVM
Cloud Service API
Cloud service provider
EnterpriseAttackerInternet
Cloud Service API
VM
Insecure Interfaces and APIs
Week TLS crypto (use of HTTP instead of HTTPS).
Incomplete verification of encrypted content.
Account or Service Traffic Hijacking
Account Hijacking: Unauthorized access to anaccount
Week passwords
Stolen passwords (by network, machines...)
Password reuse
Cloud use may result unmanaged credentials
Publically accessible applications/services may allowfor brute forcing
Applies to cloud provider : cloud supportinfrastructure is a back door
Data Loss
There are multiple ways to lose data:
customer accidentally deletes or modifies it (by mistake)
attacker deletes or modifies it (cryptolocker)
cloud provider accidentally deletes it
natural disaster destroys datacenter
• Backup matter
• Tombstomp
Data Breaches
Represents a collection of threats:
Insider threat, vulnerability in shared technology, etc.
• Ultimatly, a company’s main asset is its data
• How does a company ensure its data is protected in the case of successful breach?
Need to look at the threats individually...