Daniel PereiraDiogo Ribeiro

João FariaNélson Rafael

Cloud Computing

SSIN 2015

Summary

● Introduction● Cloud Computing

○ Vulnerabilities○ Threats○ Breaches○ Attacks○ Countermeasures

● Practical Demonstration of Openstack Vulnerabilities

Cloud Computing Service Providers on Cloud Service Models

Cloud Service Models Cloud Service Providers

SaaSAntenna Software, Cloud9 Analytics, CVM Solutions, Exoprise Systems, Gageln, Host Analytics, Knowledge Tree, LiveOps, Reval, Taleo, NetSuite, Google Apps, Microsoft 365, Salesforce.com, Rackspace, IBM, and Joyent

PaaSAmazon AWS, Google Apps, Microsoft Azure, SAP, SalesForce, Intuit, Netsuite, IBM, WorkXpress, and JoyentAmazon AWS, Google Apps, Microsoft Azure, SAP, SalesForce, Intuit, Netsuite, IBM, WorkXpress, and Joyent

IaaSAmazon Elastic Compute Cloud, Rackspace, Bluelock, CSC, GoGrid, IBM, OpenStack, Rackspace, Savvis, VMware, Terremark, Citrix, Joyent, and BluePoint

The cloud reference architecture. We map cloud-specific vulnerabilities to components of this reference architecture, which gives us an overview of which vulnerabilities might be relevant for a given cloud service.

Taxonomy of Cloud Computing Threats

● Hackers might abuse the forceful computing capability provided by clouds by conducting illegal activities.

● Hackers could rent the virtual machines, analyze their configurations, find their vulnerabilities, and attack other customers’ virtual machines within the same cloud.

● IaaS also enables hackers to perform attacks, e.g. brute-forcing cracking, that need high computing power.

● Data in all three cloud models can be accessed by unauthorized internal employees, as well as external hackers.

Factors contributing to risk according to the Open Group’s risk taxonomy. Risk corresponds to the

product of loss event frequency (left) and probable loss magnitude (right). Vulnerabilities influence the

loss event frequency.

Vulnerabilities

● Session Riding● Virtual Machine Escape● Reliability and Availability of Service● Insecure Cryptography● Data Protection and Portability● CSP Lock-in● Internet Dependency

Threats

● Ease of Use● Secure Data Transmission● Insecure APIs● Malicious Insiders● Shared Technology Issues● Data Loss

● Data Breach● Account/Service Hijacking● Unknown Risk Profile● Denial of Service● Lack of Understanding● User Awareness

Data Breaches

● Malicious Insider

● Online Cyber Theft

Cloud Security Attacks

● Malware Injection Attack

● Wrapping Attack

Countermeasures● Security Policy Enhancement

● Access Management

● Data Protection

● Security Techniques Implementation

Practical Demonstration

● Credential Theft

● Session Hijacking (sidejacking method)

● Malicious Insider (memory dump scanning method)

#Questions?