On technical security issues in cloud computing

Download On technical security issues in cloud computing

Post on 14-Jun-2015




1 download


Cloud Computing Security Issues


  • On Technical Security Issues in Cloud ComputingPresented by:Sashikanta Taorem1RV09SCS16M.Tech CSE, 2nd Semester

  • OutlineIntroduction

    Literature Survey

    Cloud computing security issues

    Conclusion and Future works

  • IntroductionWhat is Cloud Computing?

    Security concerns in Cloud Computing.

  • What is Cloud Computing?C - Common PlatformL Location IndependentO Online ServicesU UtilityD On Demand

  • Cloud Layers and Access TechnologySaaS Fortiva's email archiving service PaaS Google app engineIaaS Amazons Elastic Compute Cloud (EC2)

  • Cloud Computing Security ConcernRelying the own data and execution tasks to an external company.

    Different country with a different regulatory.

    Focus Data Confidentiality, Data Safety, Data Privacy

  • Literature SurveyWeb Service Security

    Transport Layer Security

  • Web Service SecurityFor a SOAP (Simple Object Access protocol) message, It defines how to provide IntegrityConfidentialityAuthentication

    WSS defines a SOAP header carries WSS security extensions

    Defines XML security standards which apply to SOAP messages, likeXML signatureXML Encryption

  • XML Signature

  • Transport Layer SecurityTLS Secure Sockets Layer

    Cryptographic protocols that provide security for communications over networks such as the Internet.

    TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.

    Use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

  • Cloud Computing Security IssuesXML Signature

    Browser Security

    Cloud Integrity and Binding Issues

    Flooding Attacks

  • XML SignatureIssue: XML Signature Element Wrapping

    In 2008 it was discovered that Amazons EC2 services were vulnerable to wrapping attacks.

  • SOAP message with signed SOAP bodySOAP message after attack

  • Browser SecurityThe Legacy Same Origin Policy (SOP)

    Attacks on Browser-based Cloud Authentication

    Secure Browser-based Authentication

    Future Browser Enhancements

  • Same Origin PolicyAllows Read/Write operation from the same origin.

    Where Origin is define by the Tuple (domain name, protocol, port)

    Problems:DNS caches can easily be filled with bogus data.Since DNS heavily relies on caching, domain names become unreliable.

  • Attacks on Browser-based Cloud Authentication Since the browser itself is unable to generate cryptographically valid XML tokens to authenticate against the cloud, this is done with the help of a trusted third party.

    Federated Identity Management (FIM) protocols, eg: Microsofts Passport

  • Attacks on Browser-based Cloud AuthenticationCurrent browser-based authentication protocols for the Cloud are not secure, because

    the browser is unable to issue XML based security tokens by itself, and

    Federated Identity Management systems store security tokens within the browser, where they are only protected by the (insecure) SOP

  • Secure Browser-based AuthenticationIs done by integrating TLS and SOP, and securing FIM protocols.

    4 ways:TLS federation uses X.509 client certificateSAML 2.0 holder-of-key assertion profileStrong Locked same origin policy uses servers public key instead of DNSTLS session binding

  • Future Browser EnhancementsBy adding two enhancement to the browser security API1. XML Encryption2. XML Signature

    In addition the API should be powerful enough to support all standard key agreement methods specified in WS-security family of standards

  • Cloud Integrity and Binding Issues

    Cloud Malware Injection Attack

    Metadata Spoofing Attack

  • Cloud Malware Injection AttackInjecting a malicious service implementation or virtual machine into the cloud system

    Requires to create its own malicious service implementation module (SaaS/PaaS/IaaS) and add it to cloud system Solution:A service instance integrity check prior to using a service instance for incoming requests.

    This can be done by storing a hash value on the original service instances image file.

  • Metadata Spoofing Attack

    Aims at maliciously reengineering a web services metadata descriptions.

    Example: Modifying a WSDL (Web Service description document) so that a call to a deleteUser operation syntactically looks like a call to another operation, say setAdminRights

    Solution:Hash based integrity verification of the metadata description file prior to usage is required.

  • Flooding AttackDirect Denial of Service

    Indirect Denial of Service

    Accounting and Accountability

  • Conclusion and Future WorkImproving Cloud Computing security consists in strengthening the security capabilities of both Web browsers and Web Service frameworks, at best integrating the latter into the first.

  • ReferencesOn technical security issue in cloud computing Meiko, jorg, Nils, Luigi, IEEE 2009

    M. Jensen and J. Schwenk, "The accountability problem of flooding attacks in service-oriented architectures," in Proceedings ofthe IEEE International Conference on Availability, Reliability and Security (ARES),2009.N. G uschka and L. Lo Iacono, "Vulne able Cloud: SOAP Message Security Validation Revisited," in ICWS '09: Proceedings of the IEEE International Conference on Web Services. Los Angeles, USA: IEEE, 2009.Google, "Browser security handbook," 2009. [Online]. Available: http://code.google.com/p/browsersec/] M. Jensen, N. Gruschka, and N. Luttenberger, "The Impact of Flooding Attacks on Network-based Services," in Proceedings ofthe IEEE International Conference on Availability, Reliability and Security (ARES), 2008.http://en.wikipedia.org/wiki/WS-Security http://en.wikipedia.org/wiki/Soap http://en.wikipedia.org/wiki/XML_Signature http://en.wikipedia.org/wiki/Transport_layer_security

  • Thank You