BY:-

VIPUL GUPTA

0702913116BY: VIPUL GUPTA

What is CLOUD? Advantages of Cloud Major concerns in Cloud Security Foundations to understand Threats Understanding Threats Government’s role SERVICE LEVEL AGREEMENT Conclusion & Future Work

In June 2009, a study conducted by VersionOne found that 41% of senior IT professionals actually don't know what cloud computing is and two-thirds of senior finance professionals are confused by the concept, highlighting the young nature of the technology

…the idea of relying on Web-based application and storing data in the “CLOUD” of the internet.

The cloud is a smart, complex, powerful

computing system in the sky that people can

just plug into.

It starts with the premise that the data

services and architecture should be on the servers. We call it Cloud Computing – they should be in a

“CLOUD” somewhere

Cloud computing is Web-based processing, whereby shared

resources, software, and information are provided to computers and other devices (such as smartphones) on

demand over the Internet.

“Cloud” is simply a metaphor for the internet

Users do not have or need knowledge, control, ownership in the computer infrastructure

Users simply rent or access the software, paying only for what they use

AuthenticationTrust on vendor data privacy

Defines how to provide integrity, integrity, confidentiality and authenticationconfidentiality and authentication for SOAP messages

Defines a SOAP header (Security) that carries the WS-Security extensions

Defines how existing XML security standards like XML Signature and XML Encryption are applied to SOAP messages

XML Encryption allows XML fragments to be encrypted to ensure data confidentiality The encrypted fragment is replaced by an

EncryptedData element containing the ciphertext of the encrypted fragment as content

XML Encryption defines an Encrypted- Key element for key transportation purposes

WS-Security defines security tokens suitable for transportation of digital identities

Example: X.509 certificates

Also known by the name “ SECURE SOCKET LAYER(SSL)”

Consist of two parts: The Record Layer encrypts/decrypts TCP data

streams using the algorithms and keys negotiated in the TLS Handshake

TLS Handshake :used to authenticate the server and optionally the client

Most important cryptographic protocol worldwide, implemented in every web browser

TLS configuration FAILS for

PHISHING Attacks

A well known type of attacks called:•XML Signature Element Wrapping

Discovered by McIntosh and Austel in 2005 Until 2008, this attacks remained

theoretical and no real-life wrapping attack became public

In 2008 it was discovered that Amazon’s EC2 services was vulnerable to wrapping attacks

Web browsers can not directly make use of XML Signature or XML Encryption: data can only be

encrypted through TLS, and signatures are only used

within the TLS handshake

The Legacy Same Origin Policy: The Legacy Same Origin Policy: Concerned if scripts be allowed/disallowed to runConcerned if scripts be allowed/disallowed to run

Attacks on Browser-based Cloud Authentication: Federated Identity Management (FIM) protocols

• Authentication by THIRD PARTY

National Institute of Standards and Technology (NIST), an agency of the Commerce Department’s

Technology Administration created a cloud computing security group

It promotes “the effective and secure use of the technology within government and industry by providing

technical guidance and promoting standards” NIST has recently released its draft “Guide to

Adopting and Using the Security Content Automation Protocol(SCAP)”

A service level agreement is a document which defines the relationship between two parties: the provider and the recipient

Vendors have to provide some assurance in service level agreements (SLA) to convince the customer

on security issues If used properly it should: • Identify and define the customer’s

needs • Provide a framework for understanding • Simplify complex issues • Reduce areas of conflict

We investigated on going issues with application of XML Signature and the Web Services security frameworks

Discussed the importance and capabilities of browser security in the Cloud Computing context

The threats to Cloud Computing security are numerous, and each of them requires an in-depth analysis on their potential impact and relevance to real-world Cloud Computing scenarios

Future aspect includes strengthening the security capabilities of both Web browsers and Web Service frameworks, at best integrating the latter into the first

To achieve a recognized and actionable security policy, SCAP recommends that organizations demonstrate compliance with security requirements in mandates

such as the US Federal Information Security Management Act (FISMA)

On Technical Security Issues in Cloud Computing, Meiko Jensen, J¨org SchwenkHorst (G¨ortz Institute for IT Security, Ruhr University Bochum, Germany) and Nils Gruschka, Luigi Lo Iacono(NEC Laboratories Europe,NEC Europe Ltd)-IEEE-2009

Lori M. Kaufman, BAE Systems, IEEE-2009 Cloud Security Issue ,Balachandra Reddy

Kandukuri, Ramakrishna Paturi V, Dr. Atanu Rakshit, IEEE-2009

http://csrc.nist.gov/groups/SNS/cloudcomputing/ index.html

QUERIES???QUERIES???