nélson rafael joão faria diogo ribeiro daniel...
TRANSCRIPT
Daniel PereiraDiogo Ribeiro
João FariaNélson Rafael
Cloud Computing
SSIN 2015
Summary
● Introduction● Cloud Computing
○ Vulnerabilities○ Threats○ Breaches○ Attacks○ Countermeasures
● Practical Demonstration of Openstack Vulnerabilities
Cloud Computing Service Providers on Cloud Service Models
Cloud Service Models Cloud Service Providers
SaaSAntenna Software, Cloud9 Analytics, CVM Solutions, Exoprise Systems, Gageln, Host Analytics, Knowledge Tree, LiveOps, Reval, Taleo, NetSuite, Google Apps, Microsoft 365, Salesforce.com, Rackspace, IBM, and Joyent
PaaSAmazon AWS, Google Apps, Microsoft Azure, SAP, SalesForce, Intuit, Netsuite, IBM, WorkXpress, and JoyentAmazon AWS, Google Apps, Microsoft Azure, SAP, SalesForce, Intuit, Netsuite, IBM, WorkXpress, and Joyent
IaaSAmazon Elastic Compute Cloud, Rackspace, Bluelock, CSC, GoGrid, IBM, OpenStack, Rackspace, Savvis, VMware, Terremark, Citrix, Joyent, and BluePoint
The cloud reference architecture. We map cloud-specific vulnerabilities to components of this reference architecture, which gives us an overview of which vulnerabilities might be relevant for a given cloud service.
Taxonomy of Cloud Computing Threats
● Hackers might abuse the forceful computing capability provided by clouds by conducting illegal activities.
● Hackers could rent the virtual machines, analyze their configurations, find their vulnerabilities, and attack other customers’ virtual machines within the same cloud.
● IaaS also enables hackers to perform attacks, e.g. brute-forcing cracking, that need high computing power.
● Data in all three cloud models can be accessed by unauthorized internal employees, as well as external hackers.
Factors contributing to risk according to the Open Group’s risk taxonomy. Risk corresponds to the
product of loss event frequency (left) and probable loss magnitude (right). Vulnerabilities influence the
loss event frequency.
Vulnerabilities
● Session Riding● Virtual Machine Escape● Reliability and Availability of Service● Insecure Cryptography● Data Protection and Portability● CSP Lock-in● Internet Dependency
Threats
● Ease of Use● Secure Data Transmission● Insecure APIs● Malicious Insiders● Shared Technology Issues● Data Loss
● Data Breach● Account/Service Hijacking● Unknown Risk Profile● Denial of Service● Lack of Understanding● User Awareness
Data Breaches
● Malicious Insider
● Online Cyber Theft
Cloud Security Attacks
● Malware Injection Attack
● Wrapping Attack
Countermeasures● Security Policy Enhancement
● Access Management
● Data Protection
● Security Techniques Implementation
Practical Demonstration
● Credential Theft
● Session Hijacking (sidejacking method)
● Malicious Insider (memory dump scanning method)
#Questions?