overview abstract vulnerability: an overview cloud computing cloud-specific vulnerabilities...

22

Upload: preston-oneal

Post on 13-Jan-2016

217 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion
Page 2: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

OverviewOverview

AbstractVulnerability: An Overview Cloud ComputingCloud-Specific VulnerabilitiesArchitectural Components and VulnerabilitiesConclusion

Page 3: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Abstract

Blog

News

Gm

ail

Amazon

Google Map

Cloud Computing

Plurk

FacebookTwitter

Page 4: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Vulnerability: An OverviewISO 27005 defines risk as

“the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization”EX:DB Server SQL injectionEX:Sony PSN

Page 5: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Vulnerability: An OverviewDefining VulnerabilityAccording to the Open Group’s risk taxonomy, Vulnerability is the probability that an asset will be unable to resist the actions of a threat agent.EX: Intranet V.S. Extranet

Page 6: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Cloud ComputingCore Cloud Computing Technologies

Page 7: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Cloud ComputingEssential Characteristics of Cloud Computing

(NIST) description

On-demand self-service.Ubiquitous network access.Resource pooling.Rapid elasticity.Measured service.

Page 8: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Cloud-Specific VulnerabilitiesCore-Technology Vulnerabilities

virtual machine escapeEX:VM attack

session riding and hijackingEX: Cross-site Request Forgery

insecure or obsolete cryptography.EX:Password attack

Page 9: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Cloud-Specific VulnerabilitiesEssential Cloud Characteristic Vulnerabilities

Unauthorized access to management interface.EX: Azure management

Internet protocol vulnerabilities.EX: Scan Host Protocol

Data recovery vulnerability.EX: Natural disasters

Metering and billing evasion.EX: Pay Money

Page 10: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Cloud-Specific VulnerabilitiesDefects in Known Security Controls - IaaS

virtualized networks offer insufficient network-based controls.

EX: vulnerability scanning is invalid

poor key management procedures.EX: many different kinds of keys

security metrics aren’t adapted to cloud infrastructures.EX: cloud customers can’t monitor resources

Page 11: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Page 12: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Cloud Software Infrastructure and Environment -PaaS

a development and runtime environment EX: more supported languages; storage services

EX: database interface communication infrastructure

EX: Azure AppFabric Service Bus

Page 13: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Computational Resources

concerns how virtual machine images are handledEX: VM is not a Free ResourcesEX: image can be taken from an untrustworthy source

Page 14: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Storage

obsolete cryptography and poor key managementEX: physical disk destruction can’t be carried out

Page 15: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Communication

vulnerabilities of shared network infrastructure components

Page 16: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Cloud Web Applications

an application component operated somewhere in the cloud.a browser component running within the user’s browser.

EX: session riding and hijacking vulnerabilities and injection vulnerabilities.

Page 17: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Services and APIs

application URL would only give the user a browser component

Page 18: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Management Access

management access is often realized using a Web application or service

Page 19: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Identity, Authentication, Authorization,and Auditing MechanismsDenial of service by account lockout.

EX: Lock AccountWeak credential-reset mechanisms.

EX: not using federated authenticationInsufficient or faulty authorization checks.

EX: root cause of URL-guessing attacksCoarse authorization control.

EX: duty separationInsufficient logging and monitoring possibilities.

EX: no standards to logging and monitoring

Page 20: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Architectural Components and Vulnerabilities

Provider

users’ inability to control cloud infrastructure

Page 21: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Conclusion

Cloud computing is in constant development

Page 22: Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion

Any Question?