Security concerns with SaaSlayer of Cloud computing

Clinton D Souza

CSE486

01/29/2013

Cloud computing.

Service and Deployment.

SaaS layer.

Cloud security structure.

SaaS possible exploits.

Security breaches.

SaaS solution criteria.

Conclusion.

Outline

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=5704104

http://cloud.trendmicro.com/data-breach-at-microsoft-highlights-security-problem-in-saas/

http://cylaw.info/panda-security-hacked-by-antisec/

http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml

References

A model for enabling :

ubiquitous,

convenient,

on-demand network access

to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management.

Cloud computing

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

http://en.wikipedia.org/wiki/File:Cloud_computing.svg

Infrastructure as a Service (IaaS).

Platform as a Service (PaaS).

Software as a Service (SaaS).

Service models

http://lh6.ggpht.com/-t0mXLnfOQnM/ThMyEzI34LI/AAAAAAAAALU/6OLqERfVAu8/cloud-delivery-models_thumb%25255B4%25255D.png

Public cloud.Provisioned for open use by general public.

Owned, managed and operated by business, academic or government organization or a combination.

Exists on premises of cloud provider.

Private cloud.Exclusive use by a single organization with multiple business units.

Hybrid cloud. Composition of two or more cloud infrastructures.

Deployment models

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Software applications which are loaded in a cloud platform made accessible to consumers from various client devices.

Consumer doesn’t manage or consume underlying cloud infrastructure.

SaaS layer

Hardware Infrastructure (IaaS)

System Infrastructure (IaaS)

Data ServiceTenant

Management

Platform Business Service (PaaS)

Service App (SaaS)

Service App (SaaS)

Service App (SaaS)

http://ieeexplore.ieee.org.ezproxy1.lib.asu.edu/stamp/stamp.jsp?tp=&arnumber=5704104

Cloud security structure

Tipton,Harold F. ; Nozaki, Micki Krause , Information Security Management Handbook. 6th ed. USA: CRS Press. 2012

SaaS possible exploits

Two main points of entry into SaaS layer:User Point of Entry o Most common point of attack in a SaaS model

Provider Point of Entry

An example query that exploits the vulnerability in most database servers like PostgresSQL and MySQL, which will grant the attacker administrator privileges could be:

<?php

// $uid: ' or uid like '%admin%

$query = "UPDATE usertable SET pwd='...' WHERE uid='' or uid like '%admin%';"

;

// $pwd: hehehe', trusted=100, admin='yes

$query = "UPDATE usertable SET pwd='hehehe', trusted=100, admin='yes' WHERE

...;";

?> http://php.net/manual/en/security.database.sql-injection.php

SaaS attack types

The most common attacks associated with SaaS model in a public cloud infrastructure.

They are divided into the following four groups:

•Denial of Service

•Account lockout

•Buffer-overflow Availability

•Cross-site scripting

•Access control weakness

•Privilege escalationData Security

•Network Penetration

•Session Hijacking

•Data Packet InterceptionNetwork Security

•Authentication Weakness

•Insecure Trust Identity Management

SaaS (Software as a Service) vulnerabilities

Data breach at Microsoft highlights security problem in SaaS .

Panda Security hacked by Antisec.

Zero-Day vulnerability found in McAfee’s SaaS products.

Recent security breaches

McAfee Security breach

Zero-Day Vulnerability Found in McAfee’s SaaS Products ( April 2011) Attacker can execute arbitrary code by exploiting the flaw if victim visits a malicious page or open the file.

Common Vulnerability Scoring System score it to be 9 out of 10 maximum.

Method will accept commands that are passed to a function that simply executes them without authentication.

McAfee SaaS includes:

Email Protection (Protection against viruses and spam)

McAfee Integrated Suites (Protection against viruses, web threats, etc…)

Patch released in August 2011.

http://news.softpedia.com/news/Zero-Day-Vulnerability-Found-in-McAfee-s-SaaS-Products-247051.shtml

Reliability.

Effectiveness.

Performance.

Flexibility.

Control.

Privacy and Security.

Total Cost of Ownership (TCO).

SaaS solution criteria

http://www.websense.net/assets/white-papers/whitepaper-seven-criteria-for-evaluation-security-as-a-service-solutions-en.pdf

Cloud computing models are relatively new and are thus susceptible to vulnerabilities.

SaaS layer in a public cloud is more vulnerable to attacks due to access by users.

The type of attacks on SaaS products remain the same but the intensity of the breach increases.

A number of sercuity criteria needs to be considered while developing a SaaS application.

Conclusion