On technical security issues in cloud computing

Download On technical security issues in cloud computing

Post on 14-Jun-2015




1 download

Embed Size (px)


Cloud Computing Security Issues


<ul><li><p>On Technical Security Issues in Cloud ComputingPresented by:Sashikanta Taorem1RV09SCS16M.Tech CSE, 2nd Semester</p></li><li><p>OutlineIntroduction</p><p>Literature Survey</p><p>Cloud computing security issues</p><p>Conclusion and Future works</p></li><li><p>IntroductionWhat is Cloud Computing?</p><p>Security concerns in Cloud Computing.</p></li><li><p>What is Cloud Computing?C - Common PlatformL Location IndependentO Online ServicesU UtilityD On Demand</p></li><li><p>Cloud Layers and Access TechnologySaaS Fortiva's email archiving service PaaS Google app engineIaaS Amazons Elastic Compute Cloud (EC2)</p></li><li><p>Cloud Computing Security ConcernRelying the own data and execution tasks to an external company.</p><p>Different country with a different regulatory.</p><p>Focus Data Confidentiality, Data Safety, Data Privacy</p></li><li><p>Literature SurveyWeb Service Security</p><p>Transport Layer Security</p></li><li><p>Web Service SecurityFor a SOAP (Simple Object Access protocol) message, It defines how to provide IntegrityConfidentialityAuthentication</p><p>WSS defines a SOAP header carries WSS security extensions</p><p>Defines XML security standards which apply to SOAP messages, likeXML signatureXML Encryption</p></li><li><p>XML Signature</p></li><li><p>Transport Layer SecurityTLS Secure Sockets Layer</p><p>Cryptographic protocols that provide security for communications over networks such as the Internet. </p><p>TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.</p><p>Use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).</p></li><li><p>Cloud Computing Security IssuesXML Signature</p><p>Browser Security</p><p>Cloud Integrity and Binding Issues</p><p>Flooding Attacks</p></li><li><p>XML SignatureIssue: XML Signature Element Wrapping</p><p>In 2008 it was discovered that Amazons EC2 services were vulnerable to wrapping attacks.</p></li><li><p>SOAP message with signed SOAP bodySOAP message after attack</p></li><li><p>Browser SecurityThe Legacy Same Origin Policy (SOP)</p><p>Attacks on Browser-based Cloud Authentication</p><p>Secure Browser-based Authentication</p><p>Future Browser Enhancements</p></li><li><p>Same Origin PolicyAllows Read/Write operation from the same origin.</p><p>Where Origin is define by the Tuple (domain name, protocol, port)</p><p>Problems:DNS caches can easily be filled with bogus data.Since DNS heavily relies on caching, domain names become unreliable.</p></li><li><p>Attacks on Browser-based Cloud Authentication Since the browser itself is unable to generate cryptographically valid XML tokens to authenticate against the cloud, this is done with the help of a trusted third party.</p><p>Federated Identity Management (FIM) protocols, eg: Microsofts Passport</p></li><li><p>Attacks on Browser-based Cloud AuthenticationCurrent browser-based authentication protocols for the Cloud are not secure, because </p><p>the browser is unable to issue XML based security tokens by itself, and </p><p>Federated Identity Management systems store security tokens within the browser, where they are only protected by the (insecure) SOP </p></li><li><p>Secure Browser-based AuthenticationIs done by integrating TLS and SOP, and securing FIM protocols.</p><p>4 ways:TLS federation uses X.509 client certificateSAML 2.0 holder-of-key assertion profileStrong Locked same origin policy uses servers public key instead of DNSTLS session binding </p></li><li><p>Future Browser EnhancementsBy adding two enhancement to the browser security API1. XML Encryption2. XML Signature</p><p>In addition the API should be powerful enough to support all standard key agreement methods specified in WS-security family of standards</p></li><li><p>Cloud Integrity and Binding Issues</p><p>Cloud Malware Injection Attack</p><p>Metadata Spoofing Attack</p></li><li><p>Cloud Malware Injection AttackInjecting a malicious service implementation or virtual machine into the cloud system</p><p>Requires to create its own malicious service implementation module (SaaS/PaaS/IaaS) and add it to cloud system Solution:A service instance integrity check prior to using a service instance for incoming requests.</p><p>This can be done by storing a hash value on the original service instances image file.</p></li><li><p>Metadata Spoofing Attack</p><p>Aims at maliciously reengineering a web services metadata descriptions.</p><p>Example: Modifying a WSDL (Web Service description document) so that a call to a deleteUser operation syntactically looks like a call to another operation, say setAdminRights</p><p>Solution:Hash based integrity verification of the metadata description file prior to usage is required. </p></li><li><p>Flooding AttackDirect Denial of Service</p><p>Indirect Denial of Service</p><p>Accounting and Accountability</p></li><li><p>Conclusion and Future WorkImproving Cloud Computing security consists in strengthening the security capabilities of both Web browsers and Web Service frameworks, at best integrating the latter into the first. </p></li><li><p>ReferencesOn technical security issue in cloud computing Meiko, jorg, Nils, Luigi, IEEE 2009</p><p>M. Jensen and J. Schwenk, "The accountability problem of flooding attacks in service-oriented architectures," in Proceedings ofthe IEEE International Conference on Availability, Reliability and Security (ARES),2009.N. G uschka and L. Lo Iacono, "Vulne able Cloud: SOAP Message Security Validation Revisited," in ICWS '09: Proceedings of the IEEE International Conference on Web Services. Los Angeles, USA: IEEE, 2009.Google, "Browser security handbook," 2009. [Online]. Available: http://code.google.com/p/browsersec/] M. Jensen, N. Gruschka, and N. Luttenberger, "The Impact of Flooding Attacks on Network-based Services," in Proceedings ofthe IEEE International Conference on Availability, Reliability and Security (ARES), 2008.http://en.wikipedia.org/wiki/WS-Security http://en.wikipedia.org/wiki/Soap http://en.wikipedia.org/wiki/XML_Signature http://en.wikipedia.org/wiki/Transport_layer_security </p></li><li><p>Thank You</p></li></ul>